Malware Analysis Report

2024-08-06 11:04

Sample ID 231222-b64dnsfhh9
Target e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e
SHA256 e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e
Tags
cobaltstrike 100000000 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e

Threat Level: Known bad

The file e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 100000000 backdoor trojan

Cobaltstrike

Blocklisted process makes network request

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-12-22 01:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 01:46

Reported

2023-12-22 01:49

Platform

win10v2004-20231215-en

Max time kernel

180s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4844 set thread context of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4844 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4844 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 4844 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 4844 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 1032 wrote to memory of 1732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 1732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe

"C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/chrome/update/

\??\c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9c046f8,0x7ffeb9c04708,0x7ffeb9c04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5677623006492062317,12074556975241573259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 image-sangfoross.b4a.run udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
US 8.8.8.8:53 97.248.66.18.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
GB 142.250.200.4:443 www.google.com udp
US 8.8.8.8:53 2542116.fls.doubleclick.net udp
US 8.8.8.8:53 tools.google.com udp
GB 142.250.179.238:443 tools.google.com tcp
GB 142.250.179.230:443 2542116.fls.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.38:443 static.doubleclick.net tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 230.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 38.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
GB 142.250.200.4:443 www.google.com udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 216.239.34.36:443 region1.google-analytics.com udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp

Files

memory/3248-0-0x000001515E9B0000-0x000001515E9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fa070c9c9ab8d902ee4f3342d217275f
SHA1 ac69818312a7eba53586295c5b04eefeb5c73903
SHA256 245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512 df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

\??\pipe\LOCAL\crashpad_1032_EHIWTFUYGSTVRMJZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3248-19-0x0000015160850000-0x0000015160C50000-memory.dmp

memory/3248-18-0x0000015160C50000-0x00000151610C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cef2da8a21a19643d9689947b35d3457
SHA1 0d7b08af5d5ffab1db76a1b2b809288855ce6826
SHA256 6ed1d9ee72a5c4a04d8196760ff8c4c9dc7cf661ff32fceecf72649444e7a79c
SHA512 297f7f3a20f4f938c2fd3e5d1b710e7312ade8710cf2d2b83b87c108e077ab65b8aadfd8aa50733a8c2a58d4051d9ad787f2e4fa6a28e5100a0757c690890c03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 11206491eb073bc03bece1aa332b0f94
SHA1 4b47e51314f61dbd1623addac28126a3b0ac479a
SHA256 b79aade02ef162e4376d132c561b91c02f6995f259cb0eea4e1a9ee4a3285dc4
SHA512 23992b243dec127c4dd4a88f73076eb8b61187f6f8545dce8b54cdbddd2e96e5bab47c6695f7f0dfc2a815374e95c3c11f1f5f188bd1f14d2a3b5663373fcb6b

memory/3248-49-0x0000015160850000-0x0000015160C50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a5ccc4a0a9e9ebb00d119f1ddea251e8
SHA1 3799a259730c8148b5639043043fdded60143860
SHA256 79d031b50ca6a2ac57e114151804ba88150a45308a19192613650ba352f3cd83
SHA512 b9bf7be04fef1a4cda219babf400477745cea489fdd64b2f0b475c750542ab9feff7de8c261a74f1fc20a5bd68b1b738f37dbb335f36992d2042d5b6ad67c371

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9484642a7a1e9b878babe9546d4b23aa
SHA1 188b29ca8e83b985b1719d836b9f76dbf95660db
SHA256 431e1d831d758a1440b88da13a60323e110a981151d22eb5a2c757b386ff33ca
SHA512 8de553245362c165b13552a57fb264624e3b64476fdeeaf55cf230c83539787633b248d3cf02b807fd5617b987584338fd21d7f34c71df74eddbc9c9efd589e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 917dedf44ae3675e549e7b7ffc2c8ccd
SHA1 b7604eb16f0366e698943afbcf0c070d197271c0
SHA256 9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA512 9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3b83c7b79ff2e694ec64656fe288463a
SHA1 a295f28c7bf18f85d88e27a255241b7af3251fb7
SHA256 f3f37620d4e99ac0f0f7533762794afa9f3f24a4e2a18ef9230c874298c6badf
SHA512 11b11241354c9460654ea945515bf960e7cb812bcc7d11b8a34c301437345fea6aba3e1c200dc165437511af9d5b5a1472f02391e9465a06de39926d6e40214f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9bf0253c823a80fe81aa50b2fdf742d3
SHA1 16b19b1f8bdb7afb0dfa74f73653de220010e616
SHA256 399e7ee2209fb8aa9dc735ae1bd1187ce592f9f7fbaefe7d4fab48c75a7e7986
SHA512 1b10dbee189bad94680ff2d17a894020bab7aa5cc6c8e38d6257430e924400b2db41db0e2c3216a5b20bf411c35c17dd7da47f45e6bdfcb312659bb5364e5a9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0b0a71a22e5ca0489f2bfe36aa8f1bdc
SHA1 2fa9233d2e073b94c54daf1b8a99afdab6a36d68
SHA256 6e7cbc6641f147a944a8430456a1735131bc0ed4e2b49f529d538ed56b941129
SHA512 cad72501f08a3d6da3d3a7b7ed3bff5ea71333552c918aee9509c7df4a501cc20c14081116ea1187e84f58086cd540d484f3e780e8691a14860caf07f6b67d15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9374d86f56c02326d7c0833695b8db88
SHA1 637de8d4315492592e192acc3ae4780fe832cebd
SHA256 d9e78d57594c22af76f1e8043eacc1f1629ec72d4200e40b4e71294b5b6bf6a2
SHA512 ccce6caabde369e281a0e2103c5615d388de451373456e627cfe7ee325c19d1000302c9755f339de104492c15a3d9da734a8c04a5c3fe4c22fd760fd4ae60280

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c692.TMP

MD5 8b4fbc6702af420d3837fbe83bd953c0
SHA1 8ab6620f27b62c251ab6a647604ec9d600e2fb95
SHA256 13cd72ad226f6f64377016bd9735ffe67be5a12be812932ad0ffebd4179e55a1
SHA512 e6d00e31f15e9c234a77ea5bb9b2ccc661112400151949911d951533e7194afba59bb6cff6746bbefd532ed922691a220d88a677aaa59794d0d577923b31555b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b12c18ac92a1f957249d643ddf403f1b
SHA1 277928ecd2d4079249a5e6a777b1a8f5a71eb973
SHA256 1a6b2795731a6af8b604ad4ce4fa8ea441486ad90d9df647e66a504332351d0c
SHA512 6698d9f8232999524932f42005cc041d09876d33f7945fa5f3f329cc4ea3745e4223bcc295c9a053cf623dac2f1aeb10ce9b9a4c8d8d7aef464da86c7ad411b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fc8fb1ec865536b0a6a058190ba154e8
SHA1 9bbae8753746bb1790c4b3a785af7a663b80fc76
SHA256 60b6a843156b69b66924de4cb1cfbaadabee41d9ed75b78003effc541adbd126
SHA512 a8981cad74da97ab5eebde3e4cc9b1e7d17ed91b91743a4238da4591e43b1518c0614e00d02719881c5c72b976f109deb13c01ba0e7e7bdcf96772cafb2f8e8d

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 01:46

Reported

2023-12-22 01:49

Platform

win7-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A
N/A N/A \??\c:\windows\system32\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1104 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8E80C71-A06B-11EE-B93A-6E3D54FB2439} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007e06cf7834da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409371477" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa000000000200000000001066000000010000200000002742d35dd77eb88b94ec5afc70d824d51cf5c3dbd870d19ffc6e0fbe13abaa42000000000e80000000020000200000003daedb95925123131f7cec6938e994533af5e52045c52d40ad37bd4184b5ebe990000000307fa158bf3a43e5cae1c3922bfef9116a3292b745c908ceef8846a5c74c87d87fcadd9c74fce2f8aab9d0cf64fdbbe159d21d92bcef675166b90344b532f50a2383c4311bfc951f8ff9a650eb707bcbc96c8fd67ec6a1f7d53ac50e481bdd5c2aac819a84c2e091c29cb6871b7852e8849c25d84093b273c6dd9aeef2445f01e40c7697c8519b174621b67b9202341740000000d1e579bbbc8fd0de35b00b3bb9ef5863ebb2998821646da119ac81cd5647bd855d411f5fb5c35e6844c0ec21b94fec11320a3f88c29b96095681add9dda94fd0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa0000000002000000000010660000000100002000000005dbd72b6e4dc9331fb2c53e38a1204637afbc4a94d41e3a5d92b2b0aa4af5cf000000000e80000000020000200000002139683f0349e8a396d3085722cfdd211cb1ca63018ca299c25243918c8b9650200000006f5a5453e8a5753692d15a2306a24363974b118e40605a12115e77d27625b71d400000009f9bb2e27d47d75f653815b6c36cf454e84cb21c5f65fea1dac0cb0f5ed9333b47a552c55f98d0bcdd4170210e98a3c5fdc1113804b1e1cebbe0fbacfbd5490b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1104 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1104 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 1104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 1104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 1104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe \??\c:\windows\system32\rundll32.exe
PID 1504 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1504 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1504 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1504 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe

"C:\Users\Admin\AppData\Local\Temp\e6a7c218fb8c7e1e323b2423e39bcf70d529edd87abdb5da5f6a03e36b99e39e.exe"

\??\c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/chrome/update/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 image-sangfoross.b4a.run udp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
DE 18.66.248.97:443 image-sangfoross.b4a.run tcp
US 8.8.8.8:53 tools.google.com udp
GB 142.250.179.238:443 tools.google.com tcp
GB 142.250.179.238:443 tools.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3008-0-0x0000000000060000-0x0000000000061000-memory.dmp

memory/3008-2-0x0000000000060000-0x0000000000061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WEH2YLI\favicon-16x16[1].png

MD5 7fc6324199de70f7cb355c77347f0e1a
SHA1 d94d173f3f5140c1754c16ac29361ac1968ba8e2
SHA256 97d4556f7e8364fb3e0f0ccf58ab6614af002dfca4fe241095cf645a71df0949
SHA512 09f44601fa449b1608eb3d338b68ea9fd5540f66ea4f3f21534e9a757355a6133ae8fb9b4544f943ca5c504e45a3431bf3f3d24de2302d0439d8a13a0f2d544f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t83hqs9\imagestore.dat

MD5 aab85e76f9883e4f45a918b66899c8fa
SHA1 260851ac7490768d8c8a9cb87d9a33257ff8cc37
SHA256 e4a0878afeace2927df2dc82c79da6b76fb0a9dc67aebf9c8f8760b0ddf6cf68
SHA512 8ca7baa7d8c81ccd155406b5134473f8deba099211bc0938e9356c775115b78260e1868ae9161ba6ebf8033736b8c5d15b971b5e6e71836751e27c2c5259970a

C:\Users\Admin\AppData\Local\Temp\Cab5B7A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8b84b1c7ef6ae1d29cb0810ed34347b
SHA1 d8ec4794f2bed0c9b0b59790a8092ff1a8ecb62c
SHA256 186193bb93fc1527585f417dd2dbd241b60f05ac209e43b8130d94d80c33b06b
SHA512 1e73296ae9800f30eacce324a38fa52846e1a5eefc0e32869f272c33cac759f94d278f34565f6b4b48106d0d90d8adfa87cfbbbefeeba074e212a727074e5e6d

C:\Users\Admin\AppData\Local\Temp\Tar5B7B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9168a9a74722754e508db717bd58ae6b
SHA1 180aa833d3b348df31ee4f2d326bb84b936219ec
SHA256 b802b840315e6cc1b1664ffda8e84ef17bccb49bfb49fae6658e43dba8c7ae0e
SHA512 59defcc65a72aa14c924c341d024f59722cb16cc05b948a40033ee39613667f3343efda58ffaae940511a3c8dc1cd22bdb8965400fafeb40742d6c4bbf769293

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75c16eceb0e34c308527a774c7a6a9b1
SHA1 5ab1225648f634dbb0b837c8542719e71a703af0
SHA256 5b85fe3058425a3e1ec3f298a6962216ccb61c0a2d2894da926ad4a1f7524019
SHA512 dc9fda3cb057ed81993a4405aae3622d24cd15dd9efce9f0297203a66d6b33e3dfcd31db01fb1611e389c77f7176d840ffcdd68d7e94e1a775f54fee3bc7c667

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29f96038a6de9394b46175b0dc852af4
SHA1 2b94b0f32e7216b65907d7b7cc9139177ada7766
SHA256 1ce347a8bd83ba254ffab2cac56e8832540603ef7afa12af72c9ad03deb99735
SHA512 a87dcf6b40bbef19ef173be4fe6f55f28cdb9ea3ac541212069de7ec8bff696e041d8bb192303f87174caf94ce4070dead7107bcf1da4b5dcb0cb2c8c270c390

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0960085a80f1ef653d18c69fa0775e29
SHA1 fa4ed062adc1668bcb74e832811ecb996b513146
SHA256 cf5a29129995e926031ce216860ee3a7ef13ad1a3a5c704303fea99cd8c59b08
SHA512 f17e9b8a920daf2970f614b45882245c3b694d16c762507d79171225afb794c98597a44d2b77b81f12ed728e0e7af7529c760d938be04930492dbe2e162bc760

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16a211676eec78bc1c06270dcb37dcf4
SHA1 ef23c6d2162ebb83bd615db4eced73233b3ae3be
SHA256 9230f18c90da9c0d57087a5d13d7105ac1e44456c574d534731a64891efaad6f
SHA512 e5c119224d8306b6cbd75ac62bfe8e69af674444f0f65892009fd61f1ee5b4ff885bdccf6ecca47c7774b0e7c33657cf527ac7da4a4b1deb422db3842b6c9b0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77002bc2f851caa0dcc7e29e6d3726f4
SHA1 b79f003aa475cca31f47b0f516891cd5052be0c6
SHA256 2c132040ea7ec70c305f4dd4c42c64aa96920b22ed5b59f030257382b9bdb313
SHA512 8247803cf74d0b7f0927a3af9d0f5fe8b59a48262067a349143861737a2ceb5a95c75a234ce22d2100fc78eb536cb6a25d178530408e0d048559ab3463a0ebd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d80154e6257ec83ad43f7380ab981ae7
SHA1 44e95a64d839098dc46fae2efc9e28ee932a7c7c
SHA256 6d1cda20b88d4ecfbb279051a355957b8a0ce0fcc5b4ad13b09ba08ba32c0a9f
SHA512 ed3971457790524a0c368dfa71efd167c028a59532b7bc36446989466019e2bf6dfd8689a009e4dd6da1ffd9d85f969875deba6e2886c02d2c982f943c42f19c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6078dc02518601a792f542f344b24859
SHA1 bc66df478e4164624ff7a741e20e365274a17195
SHA256 f78ffd3f4caf6b0f9769b532c0843d971cee944e2ef3d250c073e3b8d1fd70fd
SHA512 4bc10c8efc1db39bf8e8fb9f84cfde51e9ec06ff5f9bc3c6bd6167e438a4d3424ecb37e20345778cb687bfb07cbc912312e5bdbf154003fcd51e711fd2a65541

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 861c676393799c02a56a670353cb5e5c
SHA1 34838215cbd23faf634f05f9bbd382b5bc883d28
SHA256 9d34c841ca56183b670abdc7175cd17b5b2fe71dbcf359a9d8000ccb53869ec9
SHA512 4034b4362541e904e86fbdd23af3b09d924f6b84323ff181324b413e998ff97200aae1fea94a3f8fa0b6b764316d42082a028827d2c552d4a23e0b66018ec9c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 026d70d40233cb8ecb26182f78542206
SHA1 45b66a66f14162baba32edbd79d2a6393968cec4
SHA256 2ca7ae86569f2d37c1852ddf600cb4d1bdcf2481d26e6c2aa97ce631bbc5d71a
SHA512 2174385b22b01253ba0f034b6b47dafa4ea1abfe20406f49375abd5a03f3718216dd781ca1ed5f39e38d2d63358f351ec3ef68d35552eca93534bf409495e18e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5cf24ebcdae15d29786660835f92d8e
SHA1 4fba11187eab085ce8d24b9508452e08c2f08370
SHA256 4b5aa84ad1ba72819648ef19b770f4c9599e1ff3a73d3537e8fe8c288c2767bd
SHA512 791810ed02d590c1ef2a3d11449ff5ba228cb2ebb5b630bb6ea99f652ecf1220462d6a44fc448b7c243efc0a828fe124af0609c249b41edcf658f214528be220

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a73ed9571cdd664b314625873f807c7e
SHA1 815b475c0ad613cecab265add264809b7ad9937b
SHA256 ac9bcb1a6c49abeece39f500b713060d6d47088702199510094b2754665e73dc
SHA512 ef13461035134c48bf0812a9a7634814ac048fe4776126a474f63dbea8836b043daada3882c21d8d106120b138ed65b6107b4764f88ca9dcd5946cf0598d4706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7535f1633093635d1517de4d76f5c7b1
SHA1 7e842cb4adb225e9f0ee2c8709b5e9f789e0cf88
SHA256 1a1174809d98358c8769686269da2616aeca895d0151d805c7cc058d8f2eb7ed
SHA512 5e01411a83952305f34a177ff43fea084f4f4bd379b86a9fb83c4cfd5094a933e328afb2dfdc1ee698435a7a4d77fdc547eda0579200a46d2a49a15eb89abd61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83b9947473dcbe278b15aa6e53bfb81a
SHA1 b2f71e7d7968178c0c61dbaba18c4a7e056f2e80
SHA256 60a5e8fda4df5b80cc3b604c321181f7916fbe201d5672b50c70e77c3e71be3b
SHA512 55504185eb8b738d5405a988beda5b04b1388b77c80a6b569fe18803f48d412af8fa48f9142fcc3edbf59b7bcb7b9e742c813c3bba66d6f86753e9ec46f9a2dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4c2f7154d36d3d2cb01a0c0e3433c4f
SHA1 84179db7deaa73acfc78c40a82a52825c030eba3
SHA256 e18990998fff9ea96389c585bf2a7815400434f87fc0dfdbd14ae3042b80d86e
SHA512 c988cbb71c6374ddb4f84e3ec6a7e005466726f3ec22840ab8503768bffb97c42d45a9e6bfb263e10bae2f44a5f7cd0dec4bd4298cf064a9cbaf5c8d9d7c2024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 796582471aad37b999fecff044b35fdb
SHA1 64b8ef7134a8fa64f0026444247f81fff44a7c3b
SHA256 c86837e356d6cfdd9ef0d3c94934f22de02fdefb673af14151a4a31ca9a53e13
SHA512 a9de67d0798286450bcbd734cb7217bb97ab8a480cf2d02e12a141aa753f21f28e36dd4e081fbda922692bf638d238504a9eb635185009ca1ae16353d0bc0f15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02b6a7fb984b8a025c4deda373adac05
SHA1 5918caa000aacfe62f4c9446d2b709cbd9dbc04c
SHA256 28ee84c8e1042192eddf8722d4af909acfd0460087ab3059f96931c646f30349
SHA512 797d3bd0d24d7f9d03d76ab484d2bf27ae091eab21536d54c578a829ac9a60e24dbd29ebbfbd1700b1ed3cd826ecace0495dc81f8e1921cadfb06fa6c860b302

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c3e409c2f2ccd6d74a6b06e56922ede
SHA1 edbe93e42a0a09bf6dbb63d2cebe70b1183687ce
SHA256 b1a935bb687e0ae63a826aab71329e6597b01180ff0830411505df844185eadd
SHA512 01b001c57908734025027bfa43fdea6e31eedc9c26e735282f067711c7111c4609c51fc6860a58a0790ab1573ae4fb4bbce34730b855eb9354de445e546dc178

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa9eb877d2d927050acd450d9266999a
SHA1 67441c5c836517bc221a8ea62431dfaa5eba449e
SHA256 44cf8d8f985f806d3f33c475b949a9493f8c9325d1fdbd5956e164b7c592a194
SHA512 3d3aed8cb85f1473c9bf47b3061db0e9fc31d5bbe71518b2c7b32426cc72065faca9214cda21d9a5063cfe4fd43d5b445da0b700fff29a3f30fb2803c17a889c