Malware Analysis Report

2024-10-23 21:10

Sample ID 240125-v2ez3abff4
Target 75184d23f2274ec055b70fb9a78ad166
SHA256 dbff81f2bdd65f4f99e28fcdbbb4b410f5a12d9882b866b82082602899f610dc
Tags
redline sectoprat build2_mastif agilenet infostealer persistence rat trojan kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbff81f2bdd65f4f99e28fcdbbb4b410f5a12d9882b866b82082602899f610dc

Threat Level: Known bad

The file 75184d23f2274ec055b70fb9a78ad166 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan kinsing loader

Kinsing

SectopRAT payload

RedLine

RedLine payload

SectopRAT

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:28

Reported

2024-01-25 17:31

Platform

win7-20231215-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000ed6a13a5f09289a0c466ba94f46dde602018a6d41cc27b0163d580111775cee8000000000e8000000002000020000000e0c9448f798eca7a0e7a2b52857db2acba3bab16e5c5b21ba7df4f2289ecb63090000000f28dec863198ab436bf4d4e39be72403d1995627f2918c391a921e00e6816e9cbdc79a2475e43859abc502bb4b1e69113b78abfc8786a419a11c37a1b7f89339cd60ec2b89aa5524f4520fd89b2c490e0089efad6bfd8622b2957830b6f804aee3f1e79e89ec63e304c0a4ee99cd63602bba22181b8766526659b6fce9a2e08010ae0cb9516c3af12aa2b96730adb6bf40000000c97a018d9de60b9b5c553ba52f08b4766eefad5dc6e83f2b261460d46247e41a9875c904ba38f72d4e6add873fbeec7ad75395a9cec53fe6a215e253b35bbcd4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000c73d5de205dfad519d0fd9024e5312595432e40bb6c1cb87df220868fdb19c13000000000e800000000200002000000080cc5a7b35d714bd43fc24c7ef8b80ace3b59637c91e153101263ac84ff61ee5200000007750eb7ff33b6d5bfcee8b3a80257d3368a0bb4af3183bdf26b6e32bc8006d8240000000e55fda4cf212f24a910b75db392cad4d20537cfdcee4a3f864611cd07e39ad159551091767aeb221f4f16f08b4b3b9e4c72a4b7aed160e9f05d644c3f7a5a9d3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39E29FF1-BBA7-11EE-9D00-76D8C56D161B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ea2710b44fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412365609" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2160 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2160 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2160 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2052 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2868 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2868 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2768 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe

"C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS9260.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS9260.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

memory/2768-48-0x00000000011D0000-0x00000000012DA000-memory.dmp

memory/2768-49-0x0000000074930000-0x000000007501E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9CED.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2768-70-0x0000000004E50000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9DAB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e084d1e02f51e855022d110f6aaa630
SHA1 589a9e98376f23bfb0825e1f0a31d64b9ac7d037
SHA256 0234a5b30f28ac3c5ad64ecfa599e0067848ced3367e8be813099b849c4a6ae3
SHA512 06901c7ee596cadf0e19ef3026d179160d74c0dcd996125fdf38c9e4cee4099bb19cfc96ece9526852f58ab3d547d6b9d9562bfe75212c7f0414dabe03e3218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2cb5856f70b6db0f2e692fd1d72a100
SHA1 a34e2314717c83c36dcabb250b74f0c64680c688
SHA256 99ff3a36bd92a1a795648a07d5b5c99f72cc2466ce492cb35f9c89f534e1352d
SHA512 5df392d8e714560967f4334d8e93af497b248038cf44553386f6d70136858f60858446d40bce16a612ca7f9bda3836542aa4b2b215235e454a96ef9eb4ed21e7

memory/2768-158-0x0000000000900000-0x0000000000918000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

MD5 a7570321910c9d50321c3d953ebe2ed0
SHA1 cb723eeda6a2ad6cd5af2786b174c78a1c456b10
SHA256 367f5bc56258e3d38940d017a0f57cd062eeda8e5bb4a319c592e038700a8093
SHA512 734119e5683553df66334347be189aff09da6b3b3d9e2c5f738fead558268e0758b31f792bb726d2c2a03ab59af8d900ec880f377e10208b58b53d3e1319499b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdcafc91d36a9acc4516f0ecbe82cbad
SHA1 e4cf00bc99035f5c97f1794e9448f10d51a06fb8
SHA256 c07d31f0555e546a9b3508013d954581d9c5f5171c6710cdffdcc53030629e44
SHA512 d9361d600ac0ff4eec0ce8d29cb745db2de4fbd1fa6ede627b16dcaa9fa1f70ed86494bf10c0be4bc3c63a40c59713f4bd0f941611d3ecc9bf285642f0751d7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a524996ecb8672597c2fb3efe7c4fea
SHA1 96b4ed62a2883957ab4a49acac063613c7242a90
SHA256 d647247614e4fc6090651f86b3197717591bc78cc65843a641b5f4ca0558d30a
SHA512 f0ad1f95916077994a0d1f1e5a98491bedc943e41901721d9ea292faea237e4b261e3449e4319a8a3f7d6b08fea1322e2712ca58547a46d369e27219635c8732

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 168a1270312cb40ae1bfe90812f17625
SHA1 c9252b008ceaab615121d153ec44c843207ea324
SHA256 bd77996f4a5fcad366b593416baf194115299114a32e5f5aad457dd27ef80239
SHA512 0f7fa8d18178c809851f080ba1d1527e5536dfcfa6afc7081433d89a5f8d7f05dcf96529a05c9b2087e6e2535d112ffa4e571068c8834d1f1d7311f7b8762121

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3780b7415129d4496b40760f09b8fc2
SHA1 bfc38f5204690392cabdb57ad4009fa20783fd5d
SHA256 e289ab40319cc37d2739fb1da2a612114ed29132d466af1f726a9c5845f5362e
SHA512 c169eae9d50df7c32b7860f725cdf73f29716bcb101c557410328b59178af34d97123602daeae50799352b64224d5a6f14d99205bf08743e777286b9865a8ecc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e9cc57618783529bcaf8ddec5cf9c65
SHA1 755227ac775b79430e6fd2d2d4acfcbc7345047b
SHA256 5ef02f9625e9b7a1cdccfc6d8b6a01f39eeae26346e86f46a847565b86adb981
SHA512 b66035509731e8f22352932943abb9a0bf1d9a63a08eeb0e43ef9f0d8a17dec5827793038391bf8b41dc0d1000f798a0767e564e9bc295b900377294815328b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15680dd9fb90ff49f65df98d39e11980
SHA1 d857b3da4c52cf6ee31adabfea1a5ae06b3215b2
SHA256 0846f5e2328dddca8ee0e97b6013f74de7c1fd4e4c30c47bc9907ba38a359e81
SHA512 7c911cc3bcea113aecf2e437eea5dba1fa770ffcf3429a534c88937c10371d9a225414ec9ee9c3f27e3520b366c834df9745ce85731cb80f1762fb02a7b9b98b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a38889af22e07d0338afb4adce85d46
SHA1 3cfa9d0582d126a30a0217d8703dfaa3dd72f76f
SHA256 e268071d6ad5da442cf74240c73485c85fedfc99f09ca98306364c5053514606
SHA512 b08dc045b4334b50215f6d53c426728c3b2c6669b527e758e4f670d5b2a031280e9066387a06d31d9da096d54e2e2e1e3ded424236d6e8d0400cc2d82f6fce6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6994a3514e256db277fde89ce246567f
SHA1 a0cd23f620a3770acc76e138b56cc08a2314be4d
SHA256 6143b2b805ff9ad182d4a26709873afbe0e63d0c3b000f3d55e4d2be43b18467
SHA512 a5a3eae2d9383cc0d6175ea0fa3ebadb4782682813c87d86c3aa7ee48c31739dedacb0d78857dad8943d3d9a5fb10381219847de0b9367f9e2174a2d125abb6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17a6abb6829fb2d403170f0431d1cc92
SHA1 6b7653379ae90c34ae125316d3c2e0ffad1a1dda
SHA256 0646b05105ff09f630826c430e96312196d02c2d6c32bdc6d9718ed489ae6ee8
SHA512 638776f6a854bd4b989dad87f577b207b7ee16db4a9adc8143180d893cdeade3525d9c7a7e21a45724e6bdb53b15b035ddbef78c0bee8670d9b2f5bf60f7c5bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc6a9f18ae0db49feb5b4d07ee752472
SHA1 33718ec9d0edb0413b2fed12ae5e92062e34f980
SHA256 60fcc1e4285ed8626be2dd54b6e6acbd4a00517efbaeb4aea8133dce6fdb3517
SHA512 b2f58cea61ca4ce897d927f7831e7fd57a27bd4e14c5c1fbe17714a0e3042410dfb8c2883beb604c5befc3b8a78665a19a43b0c908204f77d6a07a0d519ef77c

memory/2768-600-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2768-601-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2768-602-0x0000000007E40000-0x0000000007ECA000-memory.dmp

memory/2768-603-0x0000000000B00000-0x0000000000B1E000-memory.dmp

memory/2344-605-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-607-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-611-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-609-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-613-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2344-615-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-618-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-620-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2344-621-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2768-622-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2344-623-0x00000000004D0000-0x0000000000510000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38a1ce81d616662cdfef9b1a5c8c767d
SHA1 c89749c389cd0cc5056901a467e1f52c5c35fa73
SHA256 484e4c49ff2c73b59e6464d5b8142fbc76081ab5a5f01446db9a962d83773a00
SHA512 4be702b29ccc7f3a082aaebb81d8679e3095fd6c4215197eaf680b187559ac00f4cfb4483d28f0ad136cd52c7fcd7c4cfbd1cd83f11fbc176b9daf43a7f4e111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f34207b013a56b5a471014370faf6d1b
SHA1 b7f938faa9eeba7f74bb2df536efb81c232c61e4
SHA256 9d0cb07d9baa651d80dd28127e72b5a15fc1223556a5f5db5b98f7386915225c
SHA512 277b52ef94ad001c53ad24edfb7fc319a5a0c7b965b668874fc7a4da6046efeb54eb51ad73e4abc417574ed7a33d1350a88e694268c490ffdc1c3bdb57bd848c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 15fdf28a71995be76a7a76d23c49df82
SHA1 e6a86f0cd331d00e5042cc2d5c3e1adcdb4c2865
SHA256 856413565aa2634418e61d00fad3e96a48b5634c2e54ae4378860b0fc4d3decc
SHA512 b5f4fc3f355cc7f38190a73f102b05b4c39e1e79a3dbee3ddf8bc8173742aacdf5f6ad3b2aca04e23165285bb17347f91a7fb51d7a0525dd8cbd2ab8d3fbf689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c7c2162039ca238c879cecab46f8925
SHA1 4bd9db0ed5e89f99ba8b4c31fb043ab46dcdf680
SHA256 383d4c6e15f3caefbdc2101956322f76a099b17e0e7296babb5e5d0a033f7d10
SHA512 35d062382a04ed87fb17c1b9b2bbb92ec041414fb9493486796ce3e4afcc2e49af597b667212a71d99a7a85e4b3314e0ecbdbb3f2327913c33e9e9b4227e17c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d7e525ac0e5ab2107c1020a41ab42ba
SHA1 2eaeba44b27eb864e7b94f28b3d457b70f8da3d8
SHA256 e386c6989450a8d2699f1404b0982b97cb3bb19cdc1f0df24a2e1164a9f749c5
SHA512 d3e416731b3c80568fe4afe381bca212eea12b2a71ab6b0cc935a4fde22bdcf422606e9b03088a9279fa0b35e954cc73849a95dda17079e9f7a6452d099c6330

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 546716045540b24dedcbeff411f5f812
SHA1 db96404713f274911331afcdd61399519c8bd781
SHA256 d12ba91967d2d15b5ece02db6452a8ffbf93635a12b558e673335c182b0a80eb
SHA512 9312f113ef7ca3ff2cf20d206c1d76dc6e81385f536330b3edc016385acc229b523da6780695638aa56eeb76e5d3eaa2d374bca57a7c06225a247335995f1722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f731a7d93a4d5a9a133e1661c6ce770
SHA1 c480ad5ef3ae387e65133238441265cc955229e6
SHA256 36f9da06eb7f889f61f0f02fb4309265347bd3a7c31746cbd663c891b306d846
SHA512 cf86242c936db7a0b2bd1cdfe983294687b872ae81b63696d7ac78107148a978d7a0ccc32c0eb4a422a4b6da8a54d82c06afa76d1fb1abe184ff3903b6f33a66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 040f88cbaf2d2e00d48810a92882c376
SHA1 756be2e1b9cd4dadc68a13a213a9bf89a8c822fb
SHA256 6fd5e2ff7cd4c1227b0d8203e4e49b89560623aa661f35011815b687a2feb571
SHA512 19ca9cc82ffe5d973356d01cb337549abdef7965765da22444db2c029e52e49b0f0b2787d81c1610aaf63a425c7931c26334b75f41e01a5500f03cc31b7f5dd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 297dce53fd5d5884b27f715a5df79e7f
SHA1 2620acc9b4cedb7994f2282cb8f9a036c2522fcc
SHA256 d8c1e7d6a9f4b8e951be5c6aedb59e1ee650e5fa3d0011b4b78d2d021620b509
SHA512 f34ca074a1301f02f7a1e26871b7fe8fc36cad786440be99123277d4a3aac9362af9d6ab9282ce1ef8acbe478b53c54f0f8db678f00432a4e4a49b69970d509f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d5643ad91391901890ecd71d0e1d363
SHA1 bb00986e695a08536e1947fcea9bfc08178f9af6
SHA256 1e9b5f5ed86771bc0e9afb375694ae7e5da18b7fd4da8193adb4746cec58171a
SHA512 346d1763250681f749b116955a9d3b97f924f1706ece7544023db3f9de02283dc16715be0a315c751d847784280b0f3c3bc5bfa83085dcbdca7ac9c489b3e2f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c690084f67f4190f1d94997e61158774
SHA1 886b0de741b5ad9625ae3d0fdf58a119286ca69d
SHA256 d886301555911cf78287d82c2b476e1ab41dd3dc2e2ef3edd22d2643237b50c3
SHA512 e4b2ec5421a7119282f1cf8afb27afb634fcf9b1d0bf6abd75847f4d5191cf9da189351186f88e581b38e084a1f63cd217a4e88e9447a08427da5f1246ee575d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 066b951d1befa4f723c25671a01ee9e7
SHA1 4478c97ccd80187c709fa358ffca03baa51eadca
SHA256 3d2d54c0019fd9810cdb3ecd2d54a09765b7a829e6a2810a36fd15861599e050
SHA512 e0b8e0bc4c717227d1b6d0486e404f2f50dad71f32dd1b0b3d1c1860dca95477112d83ae0964cb663914a8add9498d321f225842d8f4c6e4ba9851d406102a15

memory/2344-1089-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2344-1169-0x00000000004D0000-0x0000000000510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:28

Reported

2024-01-25 17:31

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe"

Signatures

Kinsing

loader kinsing

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1296 set thread context of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4532 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4532 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 5008 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4532 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4532 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4532 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 1200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4492 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe

"C:\Users\Admin\AppData\Local\Temp\75184d23f2274ec055b70fb9a78ad166.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS8C52.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1XQju7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf56546f8,0x7ffaf5654708,0x7ffaf5654718

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11339710651823036373,12483675928597510757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS8C52.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d5564ccbd62bac229941d2812fc4bfba
SHA1 0483f8496225a0f2ca0d2151fab40e8f4f61ab6d
SHA256 d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921
SHA512 300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

memory/1296-21-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/1296-22-0x0000000000770000-0x000000000087A000-memory.dmp

memory/1296-23-0x00000000052A0000-0x000000000533C000-memory.dmp

\??\pipe\LOCAL\crashpad_4492_NQFTUHTXDXMRLKRP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1296-29-0x00000000058F0000-0x0000000005E94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 35468bd7664ac94a9debf4fc123be797
SHA1 a59bdfbaa34bd12a403afe487a077359abfea38c
SHA256 e35ab92526b0bd8427a77260b65d342bc5e2cb2e94afc0c6f090a2fbdfa27d51
SHA512 91816f305ca87438a96f7ce752602f1cf74b9e09655dec542346e91235246ceca3d0b9abf406d07809950b80278003d332426260cf731d00b5d6004efc2bd3e8

memory/1296-51-0x0000000005340000-0x00000000053D2000-memory.dmp

memory/1296-54-0x0000000005240000-0x0000000005250000-memory.dmp

memory/1296-57-0x0000000005290000-0x000000000529A000-memory.dmp

memory/1296-58-0x0000000005530000-0x0000000005586000-memory.dmp

memory/1296-61-0x00000000058A0000-0x00000000058B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47022385b6b44a6fcb678b2597fb1e27
SHA1 b540137f5717fdde5252f832829f355cf7e96203
SHA256 d5a5c24edf0c58af4e259a3de4caa817f0210a70fa1a27808b6bf0a5c1e52128
SHA512 44373bab6abb76534039be78e15e07fdb38c1c0b55e25c9c0b84f4eb8ea6074bd80ab90af6b3a230a4d45bfb3367f9075765250b47dc0ece729387c0f5776809

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d266b065bb29bced772969b45c685a55
SHA1 e84027bfe21280ed5e6744598fc13a5bed44d569
SHA256 64f14e2b414530e4656e2b756b6a472348c48dea57d9aa6e936fd9ba62c0d840
SHA512 1fb541c102d854b7ca41671a664c6805541375f18f122cef5511650ff81369ed0bead4b09c9374c8605821bfebb3fe80d31134b5c7ae9a1889440a3764130377

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1d1c7c7f0b54eb8ba4177f9e91af9dce
SHA1 2b0f0ceb9a374fec8258679c2a039fbce4aff396
SHA256 555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18
SHA512 4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

memory/1296-100-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/1296-110-0x0000000005240000-0x0000000005250000-memory.dmp

memory/1296-111-0x00000000081B0000-0x000000000823A000-memory.dmp

memory/1296-112-0x000000000A910000-0x000000000A92E000-memory.dmp

memory/792-113-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RUNTIM~1.EXE.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/1296-117-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/792-118-0x00000000055E0000-0x0000000005BF8000-memory.dmp

memory/792-120-0x0000000005050000-0x0000000005062000-memory.dmp

memory/792-119-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/792-121-0x00000000050F0000-0x000000000512C000-memory.dmp

memory/792-122-0x0000000005180000-0x0000000005190000-memory.dmp

memory/792-123-0x0000000005130000-0x000000000517C000-memory.dmp

memory/792-124-0x00000000053A0000-0x00000000054AA000-memory.dmp

memory/792-138-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/792-139-0x0000000005180000-0x0000000005190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf