Malware Analysis Report

2025-08-11 00:27

Sample ID 240219-1fysyaec53
Target 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534
SHA256 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534

Threat Level: Known bad

The file 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

UPX packed file

Windows security modification

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 21:36

Reported

2024-02-19 21:38

Platform

win7-20231215-en

Max time kernel

127s

Max time network

135s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f763a14 C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\douyin.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA024EA1-CF6E-11EE-8568-DED0D00124D2} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\douyin.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414540447" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.douyin.com\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\douyin.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.douyin.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\taskhost.exe
PID 2216 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\Dwm.exe
PID 2216 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\DllHost.exe
PID 2216 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2876 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2876 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2876 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2876 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe

"C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.douyin.com/?ug_source=yd_tbbg

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.aldtop.com udp
US 8.8.8.8:53 www.douyin.com udp
GB 79.133.176.225:443 www.douyin.com tcp
GB 79.133.176.225:443 www.douyin.com tcp
US 8.8.8.8:53 lf3-static.bytednsdoc.com udp
GB 79.133.176.227:443 lf3-static.bytednsdoc.com tcp
US 8.8.8.8:53 p-pc-weboff.byteimg.com udp
CN 180.163.207.102:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.102:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.107:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.107:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.109:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.109:443 p-pc-weboff.byteimg.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 180.163.207.103:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.103:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.105:443 p-pc-weboff.byteimg.com tcp
CN 180.163.207.105:443 p-pc-weboff.byteimg.com tcp
GB 79.133.176.225:443 lf3-static.bytednsdoc.com tcp
GB 79.133.176.225:443 lf3-static.bytednsdoc.com tcp
US 8.8.8.8:53 lf1-cdn-tos.bytegoofy.com udp
GB 79.133.176.224:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.224:443 lf1-cdn-tos.bytegoofy.com tcp

Files

memory/2216-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2216-1-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-3-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-4-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/1120-5-0x0000000001D00000-0x0000000001D02000-memory.dmp

memory/2216-7-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-14-0x0000000000710000-0x0000000000712000-memory.dmp

memory/2216-11-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-16-0x0000000003090000-0x0000000003091000-memory.dmp

memory/2216-15-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-19-0x0000000003090000-0x0000000003091000-memory.dmp

memory/2216-18-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-20-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-24-0x0000000000710000-0x0000000000712000-memory.dmp

memory/2216-21-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-25-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-30-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-31-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-36-0x0000000000710000-0x0000000000712000-memory.dmp

memory/2216-34-0x0000000001E50000-0x0000000002F0A000-memory.dmp

memory/2216-46-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5CA2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9450e6ca888cc3e2bdf04934f9e2f8bc
SHA1 e70096bb0fd06b1162950bc4b9e1f1abced1006b
SHA256 e34906606758572a78db9af33a71210d5b8c0252744496ad20870e8c3188ab94
SHA512 8e5939c4e4d6f1c6186b481fd3f194c9a77610521f291e75f7005509deb55c6da0e7429f404e90077987ab6b6c98e999ce7349a2415722981fbaed7ba9d22cf3

C:\Users\Admin\AppData\Local\Temp\Tar4403.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae67e5ed4d7ba5e85eaac3ea579e4d7
SHA1 a62405079c275be4e223b9f9e90f5231ed7a24e5
SHA256 ad11c75d2f4dae27920e7fd6507f857b38721e911102fd255f318cd6474d7261
SHA512 075b45cf8e701c4344756feeb4501e54bb36a904935c8ea8841bb47f39c06cbfb4a8854993e07413df140996e7afafc07a1cec13358a4a86403d201b69cc0458

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e52d60aa4883fb54d8cde90b4aad8c0d
SHA1 10d8a0856a4247e37f8075a1cad4d16a97ba9bed
SHA256 86f5c9ff1e5bb9750cba929e33e4963d0b89829c3a93d014976614a76822ceaa
SHA512 e045af6c84888717b8455d37af3a5a5e1358330cf78a306a787565391a703981e73b59de1806b9b174f659b122a7a4c167e2efc1d30b5a07858784ff0a4b3156

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59beb8217ad3ed162fef324ba56d1615
SHA1 28b991158917489954baa72461080c4ec235bc30
SHA256 cdd5ced73364117f7cb4bb5d2e5e1d7fd7f3771a62ddd6dd8c5eafebc387c0f1
SHA512 f1b766f6b95ce8571edf2d33193bf0fb109c22f189f44c81274ec068a4262af1b685f3b3aae6c9807269795b6ff4e998fd95f0adf4851c104e4ff00cfb373453

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb267e3ebade0dd6fea690e62790993b
SHA1 7dfbec4aad00b7d6a9a75b225a296cdd55a31ea1
SHA256 7a1db2e47d8a5b5319513d16b999c7e4f2fa777a631cf28de4e4d6252b9ae8f6
SHA512 4de4c1776b26d72374e408bc157211a0859e58c8ff73c76c9eb7d0d48023c77cba9e7ac66a62aecd5a1b79760c29abfffbf249392aef212f046294f6e503566d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb859fe384d7877d5b04c8d073343b5b
SHA1 9ca170cff0c8f1150c5a36a08d2ff617a7cc0b5f
SHA256 113d233a469a8d24ea6c7eada708ce18086f175e2adb5616c48fdec93dc16e7a
SHA512 eb75848b39c2a99511ed7cc4d91df1ad228b31d3e5e13f8ba20e5c023cb683f01692fa671ce6380a1f4df804d9424321357d196c6bb75899a82f6c0e08cca5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94f873f1b26c49ee61e218f69fe79dea
SHA1 2496d3709f7642b2e10b68d5af91cd1132980a5f
SHA256 6326ea945102f57568c1173287f9af77d43b97f3559f5e132ed1cb9d85830046
SHA512 658f7594da0f62d477e53f006cedebd5c36d7129243447f7080f9fec4d332218600d75e3b2d5121dcbef1fa178a17e621ae0798ac10a61ee1f2c5d4c68ad920a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 2e330a5851266c39f7b645bea192f39a
SHA1 2ab668aa835c939ac5625a800390e2358c4cba64
SHA256 bc401eb4b3497b71a586246247ed3afd0550faba7c0f81307e68448f9639d8dd
SHA512 c1c23c693b85a27e7aaf3277ff215d7c5c9f4e8bff6612d4f3d69dc0742aa014f24e273aa639d23f835f51182847f0c4289e75f2c2eae5f38982d507930a0973

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc00071dcad7fcd367658bb5f9e484a5
SHA1 2b184abddbae45410f2b911a22da57539f721871
SHA256 c223527fb9a6ff757c7c63bd096bbc0131c1c11c5cccecb7dfd85e6f6a023e8a
SHA512 f742c0fd3ba05fd7447256eb1e8797ec6a364f91c0ae97f5df97072a3bafdfb847c10a4581982fd05dc932cd84511ce9c1c986097a87c07d4a4fe904e26bbef3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92f0a951fe4cd8b028a42447bac60f4d
SHA1 d732077faf6f200027e2412a747b94246b714d58
SHA256 e1e716c5b42164b1a7db6979c9c04af939754f467f03ea054e7c7a03450ced1a
SHA512 cc0d13ea8febaab609391b59889a607c5ff67f483112643e98a4ece274734a4812ba755814043870b20551f8537e078986a0a66bb864af8022814e629c67b7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV6H14B0\favicon[1].ico

MD5 f8311db859d25e29264e23db6fea5663
SHA1 5e8172fc205457f01a291e044dc8a25c77ece7eb
SHA256 e67348e3ab54fa207e1ce4be78e8399d1b73a794d819a17d8656ea2b17a1109d
SHA512 2b2907d45fb96c3e312a1e074b7366fe671244e76e46d12493e2c35f6e31d1d8361360a154be7b6be046028ca949800e180e96b1e136fb7fb83c1f6662183bb5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f9yyw0t\imagestore.dat

MD5 fbb57f3aeaa36f809b796b4e64f78c37
SHA1 f897c702f8445cf6383c5b0a5cbd1bba6da3fbab
SHA256 4f65e4a9ed1068171cbe5d67933eb6d6c47c36dcda0c35594c388b72df6ecf2d
SHA512 211537310a8c3bdd114b3fc937b3dc774244b070daddad84e86dc3053d50e889460c116e5255c2c5f97a621307e0ed56feb8558939e57b6b635097b6ba2babe8

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 21:36

Reported

2024-02-19 21:38

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5749ea C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\fontdrvhost.exe
PID 5044 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\fontdrvhost.exe
PID 5044 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\dwm.exe
PID 5044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\sihost.exe
PID 5044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\svchost.exe
PID 5044 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\taskhostw.exe
PID 5044 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\Explorer.EXE
PID 5044 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\svchost.exe
PID 5044 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\system32\DllHost.exe
PID 5044 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5044 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\System32\RuntimeBroker.exe
PID 5044 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5044 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\System32\RuntimeBroker.exe
PID 5044 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5044 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Windows\System32\RuntimeBroker.exe
PID 5044 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5044 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 4400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 4400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3004 wrote to memory of 2480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe

"C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8534046f8,0x7ff853404708,0x7ff853404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.douyin.com/?ug_source=yd_tbbg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 api.aldtop.com udp
US 8.8.8.8:53 www.douyin.com udp
GB 79.133.176.225:443 www.douyin.com tcp
GB 79.133.176.225:443 www.douyin.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 225.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 lf-c-flwb.bytetos.com udp
US 8.8.8.8:53 lf3-cdn-tos.bytescm.com udp
US 8.8.8.8:53 lf-cdn-tos.bytescm.com udp
US 8.8.8.8:53 lf3-static.bytednsdoc.com udp
US 8.8.8.8:53 fonts.bytedance.com udp
US 8.8.8.8:53 lf3-cdn-tos.bytegoofy.com udp
US 8.8.8.8:53 lf1-cdn-tos.bytegoofy.com udp
US 8.8.8.8:53 p3-pc-weboff.byteimg.com udp
US 8.8.8.8:53 lf-zt.douyin.com udp
CN 222.73.33.238:443 p3-pc-weboff.byteimg.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
GB 79.133.176.226:443 lf1-cdn-tos.bytegoofy.com tcp
US 8.8.8.8:53 lf1-cdn-tos.bytescm.com udp
GB 79.133.176.226:443 lf1-cdn-tos.bytescm.com tcp
GB 79.133.176.206:443 lf-zt.douyin.com tcp
GB 79.133.176.206:443 lf-zt.douyin.com tcp
CN 222.73.33.238:443 p3-pc-weboff.byteimg.com tcp
GB 79.133.176.229:443 lf1-cdn-tos.bytescm.com tcp
US 8.8.8.8:53 p3-pc-sign.douyinpic.com udp
US 8.8.8.8:53 p3-pc.douyinpic.com udp
CN 111.26.225.213:443 fonts.bytedance.com tcp
CN 111.26.225.213:443 fonts.bytedance.com tcp
GB 79.133.176.225:443 lf1-cdn-tos.bytescm.com tcp
GB 79.133.176.225:443 lf1-cdn-tos.bytescm.com tcp
US 8.8.8.8:53 p6-pc-sign.douyinpic.com udp
GB 79.133.176.225:443 lf1-cdn-tos.bytescm.com tcp
CN 111.26.225.213:443 fonts.bytedance.com tcp
US 8.8.8.8:53 p9-pc-sign.douyinpic.com udp
US 8.8.8.8:53 sso.douyin.com udp
US 8.8.8.8:53 unpkg.byted-static.com udp
US 8.8.8.8:53 v26-web.douyinvod.com udp
US 8.8.8.8:53 226.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 206.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 229.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 vcs.snssdk.com udp
US 8.8.8.8:53 verify.snssdk.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CN 222.73.33.234:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.234:443 p3-pc-weboff.byteimg.com tcp
CN 112.28.249.133:443 fonts.bytedance.com tcp
CN 112.28.249.133:443 fonts.bytedance.com tcp
CN 112.28.249.133:443 fonts.bytedance.com tcp
US 8.8.8.8:53 133.249.28.112.in-addr.arpa udp
CN 222.73.33.238:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.238:443 p3-pc-weboff.byteimg.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 136.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
CN 222.73.33.240:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.240:443 p3-pc-weboff.byteimg.com tcp
CN 121.31.236.150:443 fonts.bytedance.com tcp
CN 222.73.33.234:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.234:443 p3-pc-weboff.byteimg.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
CN 222.73.33.235:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.235:443 p3-pc-weboff.byteimg.com tcp
CN 175.6.165.123:443 fonts.bytedance.com tcp
CN 222.73.33.240:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.240:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.241:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.241:443 p3-pc-weboff.byteimg.com tcp
CN 61.168.167.141:443 fonts.bytedance.com tcp
CN 222.73.33.235:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.235:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.236:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.236:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.241:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.241:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.239:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.239:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.236:443 p3-pc-weboff.byteimg.com tcp
CN 222.73.33.236:443 p3-pc-weboff.byteimg.com tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/5044-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5044-1-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-3-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-4-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-9-0x00000000039C0000-0x00000000039C2000-memory.dmp

memory/5044-7-0x00000000039B0000-0x00000000039B1000-memory.dmp

memory/5044-5-0x00000000039C0000-0x00000000039C2000-memory.dmp

memory/5044-6-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-10-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-16-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-17-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-19-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-20-0x00000000023B0000-0x000000000346A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1 d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256 cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512 cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

memory/5044-21-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-27-0x00000000023B0000-0x000000000346A000-memory.dmp

memory/5044-34-0x00000000039C0000-0x00000000039C2000-memory.dmp

memory/5044-41-0x0000000000400000-0x0000000000430000-memory.dmp

\??\pipe\LOCAL\crashpad_3004_CPGEMMNDQTSDNXEA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 24c4642acd4c778e8258df929353a125
SHA1 b816790cb354ce8fe68cb0531bac03376297ac13
SHA256 b97d0ce220bc81610b8b48af42253358c640362fc3fae619ffe28b1afbc59d49
SHA512 ecd39de708841a506d36cb10a8fc1e342575b5ef58351da51dd66a29d980653c317755ddb69f5acd675784ba927b104966c388f6af9b419e13f223f1af6a9e55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9c91c15def25533768ade47c23bc40f6
SHA1 9e3c46c031092cac77e2f99e9eae72322bb5bad5
SHA256 38aa2b56f30a6a50416d2832cd2ade97f2af48049665249a7313a33bacc2b51f
SHA512 54a2ff10591c3116b8d51abf7d954c348854335ccaec7f3c575b0a133c6cc3d0560887b80b31f52b3ef6275ba1f42172394c24cedba30d3b33a4f3133109b24a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32b725d4d9947f5a9fd0ebfa77f17e08
SHA1 b2fca78fc37a5191485cccd27911aec9ea25055e
SHA256 884a7e1511068e27dcc23bf76c84b2ad4567c74c340c9a4a69df2796670e3498
SHA512 7d896968a52b6169097c835f012bb1c00b95c56b40ad3b4b5e1d30c8e96b9d9b9b34bb4b206701f9ac5113608f26d9f776db56c7c8d946c7fc480b8acbeb2af9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6db2d2ceb22a030bd1caa72b32cfbf98
SHA1 fe50f35e60f88624a28b93b8a76be1377957618b
SHA256 7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512 d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 717328623ddc399dbebdb6c9dae93784
SHA1 6d137b7b656d8f49332d0bceae1204e504ca0ce7
SHA256 342d93e500b8ddbb631cfb8bedb036f5b78439b1b3c57ff58dcae397f37906ef
SHA512 705236c5ceff43f7de55c5cf9b8645c09f8c99087b400531ce4a7a603460d441254796bce1178ad61215449f75d60969b7f940bcf17dcaf159dd3e1e859f8f63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4482fc709a1ebc93bd4db1a7af6b5fe8
SHA1 fa8977d7b7fed1bf78eadf4e126ed266e31359ce
SHA256 276a3e06fb3ae09de3b2f89b1160f622615a391e289c8b456ac08b3264337e9f
SHA512 a5ea0a42df57e74a1d6830cbf2144598f4c4b5e03cdc0fb1a7f8f924ea95121c0840bfdf59aa9cc1fa49370b9a8f3bcb4116cb80304bd3a6c75ace04268b1ece