Malware Analysis Report

2025-08-05 19:38

Sample ID 240228-zd736adc93
Target 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e
SHA256 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e

Threat Level: Known bad

The file 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Modifies firewall policy service

Sality

Windows security bypass

Windows security modification

UPX packed file

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Enumerates system info in registry

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 20:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 20:37

Reported

2024-02-28 20:39

Platform

win7-20240221-en

Max time kernel

118s

Max time network

151s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f769398 C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000006101990169807e5a87bc09a01925f88e183f7ad7bde5eb2aaf748ff21612b830000000000e8000000002000020000000991768a44bf4b9832cb4ba0ab77d38db8ced624dfa2438d7a246b3f4a7d42827200000002885616577febcc95b4996dc2337c664eb62ba5250b93ab304d4c4a21b0272ee400000000262fd6ee51909a7ba4a986897766cbd8dd5c71c5dbeb941af437d3129c22da515d100a485101eff14536949c7710b52f3c669d3bd4075aba262ffb27bd8db60 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102ae91e866ada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F4FBDB1-D679-11EE-9C59-EAAAC4CFEF2E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000021fcb655c34bf0a256b3e20cae557819b96a799633589f45fa0030a72efa1fa000000000e80000000020000200000008a8ad656d3d8cb461d73e8a48cd60a3871186f5a8f57cbeb6134ea851796bbfe90000000ef1ee550adf043da74f9af16e98eba913366bd43b66675e2832b163b0ce63d93f3b6d15c1181b31544a9d1283be2924f6d4ad060f54a14c6cd3bc482c3d83cd71c2fe0d006fc4d4a83c57eab318aae401dc18c673acdcea7231eb53ee0e1abd79ff28a14398d6c19cf01f9b519bca8d72e72b152f6aebe5e9722d34c229ed8fe9df4791f350d61a296aaad5f0c1a04b64000000076af5da15526a476113f14db1e1c3ebc59e525c84ed5a06d32a03bde8d798421806c4c3903f289361307545c052a83d111e7653fd239688f09621f4606c83911 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415314524" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\taskhost.exe
PID 1136 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\Dwm.exe
PID 1136 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\Explorer.EXE
PID 1136 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\DllHost.exe
PID 1136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 1200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2344 wrote to memory of 1200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2344 wrote to memory of 1200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2344 wrote to memory of 1200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe

"C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://suggest.se.360.cn/sedoctor?ctype=se&cversion=

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.360safe.com udp
US 104.192.108.17:80 dl.360safe.com tcp
US 8.8.8.8:53 suggest.se.360.cn udp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1136-0-0x0000000000400000-0x0000000000506000-memory.dmp

memory/1136-1-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1136-3-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-5-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1204-6-0x0000000000210000-0x0000000000212000-memory.dmp

memory/1136-8-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-13-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-24-0x0000000004570000-0x0000000004572000-memory.dmp

memory/1136-26-0x0000000004570000-0x0000000004572000-memory.dmp

memory/1136-28-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-31-0x0000000004570000-0x0000000004572000-memory.dmp

memory/1136-30-0x0000000004580000-0x0000000004581000-memory.dmp

memory/1136-25-0x0000000004580000-0x0000000004581000-memory.dmp

memory/1136-21-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-32-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-33-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-34-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-63-0x0000000002350000-0x000000000340A000-memory.dmp

memory/1136-70-0x00000000002D0000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7BF6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar7DF1.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce3a64eaab2b185113e5ea5693606504
SHA1 363e46414383528424d661aba949f94184ec835e
SHA256 bdcc0c3c424c6cf5d564fe1430a1d9988e307e2b29fe53186cdbe4b3309fe055
SHA512 a5dca53e030e5a5a3c2976a23c037ea53376d299ed8288da8e62ae6fdaeddab3ee629354ac461521333ac7a6811b19d29a467e229dce9104815373e003abbce7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 276cc802d711430f6d268b4f37cbb0f1
SHA1 5c4ec58074788e225d34883eef9fed938b0c4b93
SHA256 7ac023e79545cb4b27c1556aea3fb24a40062180fd14a2f9c0073fd813e0c423
SHA512 dcf7d93b1f5185f54c16f4d92c5ab7625a54ccdc66fa83c4d86e1332bf51f85adc3ac5dc2b5901ef316295754d399367a39fdfc73f5ded338d55f5608bc6e5af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 726d6461f416fe936e2361a0489067eb
SHA1 2be47c52994e470527279fa9bdc14fdea61fa751
SHA256 f7e4e37ac5ce125eb4c149656aa27c019279d56f9998c611db5afb76ee001070
SHA512 9b3d1b22e68337097c2934487f359fbc311a2df19ac38ddad6d196d5492f1bcba7b1c1b659868c8414a9093e4232604da9453877488600a293f4819840ffc135

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 134b08c32be31d072b263ec2516ac469
SHA1 4e05f3ae9b7503da4ca83cb470c697fce76106e6
SHA256 d2b82e49fecf3674e95999205aee28e5e056087d90bfe076cb77ba3f66e94ee3
SHA512 f55591239f0f975c3dd40399a1be02325c4c206ddfdc07350ec87277b4182434adec9d3e8590a246c6482195af194952363b6326407c5322c9a65e9438740341

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c288020ad00f45c05a230816964865d6
SHA1 e0118faa744a703c9cbd33adb6d7483836fb619e
SHA256 a2865e2231e6d6c69e944cf5988c3d567de2da0d7ba62cb1a35bb05aafa84b71
SHA512 0afda4c00339a2fffd3846e1eeee4a9fd73db9b18b2eae211449a6c9c3b2c7c3b6aeb46c6f6081b8b7ad73b64e798a7eddda5d3cb7d2cc9f8cfe721968a0a75e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15dac39cb94ce28bc856dea86c46e498
SHA1 39f31765b255fce1d6d0de35c3bad2896c564ed3
SHA256 0cb2c7f41e5679470bd5678ebbd2f8163eb3545c6dd86eba703c1647529801c8
SHA512 4701779680438783e06291bc4fa1ec33a4876470dd6bb9130a2fceee60b865859cce0e5bb9422afef62be27b1ec2ffc5fb4be4610a9521ad40b73a16c1f5aa15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b9f1cad89c962ad466a139a07b50606
SHA1 59d3afac00ce0dd5ba660d45e71d053fc9f7be9b
SHA256 e1c2d10081e073e3d46c40ae975814f999feb4eabea589d4f2b36309d3033d4a
SHA512 95e1a34840783d140202dae8a784fdf8982e6c9f15f0c85a5829857ccaea76dc4017312b12c8e9f403fccfb5e48269e578e288799bbebf287108e0fde517ae63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a8f78825a1bc80d49586860ce0390b9
SHA1 649092cee2f9557eb77ce7d472297a5eb7a38564
SHA256 8abb79449c0273b9db061b3c603d537c841c2fc67d7299f1f3041ef6ca59e0ee
SHA512 eb54e3c0ad1f4a0579b1e97789a1b126354a8528660a14e5c8fd6fea9a34cb83e1858403fa57394d803bf9782628f344fe5357963963a59ef95bfe6134c083bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b53c44b6be9753529160a339542b53d
SHA1 fcf017234d5aed863807b140eef44e5977c57107
SHA256 820bd192d1d92ddd0372ea2d737058fd688b4dee8d61c8129b75f6f16db31d8c
SHA512 7efccd327acc0629110f8cb0b5720b42ff9dbcac36a7d6fc28bfaa0fe0908b324ac4da0a92be74970447f398dead48d4cd8f164d3cdb74bc30a3d23e1b13f2e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02ad3cc7de8793d6c06759190834aa44
SHA1 f93087a702a84f67c27f9f7f8ebb964c82aa3952
SHA256 6500f40315c6676676db9116f048c5ff75f74d6ec2d049adf4498cb59980497b
SHA512 70b5c5e374cbb4a71f7db904934ab65afe3cb29a78c29466c00256e45005e2062ece1570e855aaf68a79b346e8050869611724913cf7ea8ec4e4650338286ece

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59406ed4563e7087185239952ad8d909
SHA1 39a43a2712f4c6f56932a0cddfb5d6d4c4a96846
SHA256 6e901ce3e4c890e28391993840886c02e7dac64fde2828baf3eadbc2f23ea296
SHA512 01f76f9dfba0f3b207dc761cc83dabe24bdee9819680d8308c71413cb73cc8b149c40e354377092affb96e0ba42f34e2fbb5e961d60226d374b7ebb9a2e56055

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ba8bcb5dd7132152d9219083cc7b4a7
SHA1 d4dd2f846e81111d00af9b859fedf9fded705a68
SHA256 fc06c4375a1e486c505844e009c4276bdc172e77a80b253999d32d1d2a2ab17a
SHA512 68f867e0bee780a0e2e248bd986f8bc8d7634db9f0d2eea6b87ce4f8de558e840a4b337296f15ed1b325b61346343e510a168ea11816ac84e2d94f72efc13e91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a19fb673fffb8b465eed1ef9ead8e68
SHA1 2a51b55a40b9f4f7688c698ed3caf602eeb25309
SHA256 e970f9092f544931502ef71664982418b67cfe8a9abb78d8ac38f288553bd7da
SHA512 54d7df1f5ed20f1fe4f6c8e711e96ccb47305c35a7c566c82fa5bc33a4fbe170f921103aa9a5c79925f07c242d40539784c4658840536613c43fdcf426a1b5ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ca8cd65f95377a3317c19b675ebaa42
SHA1 c8b7c9afdd90892821a87f05329640fce9afcd64
SHA256 6afbe1fbcb7e6108ad135a2e00d6b53014f3cedf949ee4a8c3bc5d70cc1a2906
SHA512 f53b502c071041ce30c0d85b62b9f0a8bc7d31c9b9ac6364222417e32222cfbabcfe0d761b10067d7515bc3124cf20a39f64e09f49e7b7428e3a8f7c67c50d8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb8426071e75e8e7b35fc4c8da142b22
SHA1 c82e25ad5d472d1c5e0d955fd3ea61189593c7bd
SHA256 8c3bb4ce58e62ac45dd7b0531ad95087eeaa969571dc6032f74cdaafeb13f082
SHA512 93b105abc4a2fd01b3ba949f9002e8e723c46794e6f3608b11b698af1c64a318c6fbaa5ac4a16fac32610b341c737bc159920496b368763e3ce9f57050c68d4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70bf282d99411970bb0a6bc36dbaf229
SHA1 bcb8576268f8c35eb81e636730be7258c6526497
SHA256 e31d3b4d21e9d075919c6b72458465959c2eb7002b25e6c1aa6c6c2ac3e3abca
SHA512 c2a2c1df69b66a89dfb1456dd60ad534909b1205dba621e154d2cdd1980a4315acfb069a0cbb8d06a5548fa5bddad52e2ea010e34a0ca6ca2437aee210a89709

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f9a9d9995276bf0c5c6fbda3c50c379
SHA1 d25e0f01e9fbedf33084fe3159ce89bc76144c87
SHA256 27c3504f537bc68edb4db3d19cd3c17990e1f98578e3f939f59c70df76025ff4
SHA512 c73d6cce85d3416c4be0cefc62770d6952a15873ac3db5b50847f390fae9d40887ebc093ad1eb3f792de5fe379ce2bd8f26829091bf1b2828fb698c7238fd8d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 20:37

Reported

2024-02-28 20:40

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

168s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
File created C:\Windows\e579143 C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\fontdrvhost.exe
PID 5024 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\fontdrvhost.exe
PID 5024 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\dwm.exe
PID 5024 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\sihost.exe
PID 5024 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\svchost.exe
PID 5024 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\taskhostw.exe
PID 5024 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\Explorer.EXE
PID 5024 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\svchost.exe
PID 5024 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\DllHost.exe
PID 5024 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5024 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\System32\RuntimeBroker.exe
PID 5024 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5024 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\System32\RuntimeBroker.exe
PID 5024 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\System32\RuntimeBroker.exe
PID 5024 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5024 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5024 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5024 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\System32\RuntimeBroker.exe
PID 5024 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Windows\System32\RuntimeBroker.exe
PID 5024 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4736 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe

"C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://suggest.se.360.cn/sedoctor?ctype=se&cversion=

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa603946f8,0x7ffa60394708,0x7ffa60394718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6108 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 dl.360safe.com udp
US 104.192.108.20:80 dl.360safe.com tcp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 suggest.se.360.cn udp
N/A 224.0.0.251:5353 udp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
CN 101.198.2.162:80 suggest.se.360.cn tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/5024-0-0x0000000000400000-0x0000000000506000-memory.dmp

memory/5024-1-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-4-0x0000000002320000-0x0000000002321000-memory.dmp

memory/5024-3-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-7-0x0000000005A90000-0x0000000005A91000-memory.dmp

memory/5024-5-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-8-0x00000000039D0000-0x00000000039D2000-memory.dmp

memory/5024-6-0x00000000039D0000-0x00000000039D2000-memory.dmp

memory/5024-9-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-10-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-16-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-17-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-18-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-19-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-20-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-21-0x0000000002790000-0x000000000384A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MiniUI.dll

MD5 318bf2333b0d85e121578d6fbd24a8e4
SHA1 21223370b8cef81aac8f440942419bf1476ffca8
SHA256 6ce78ea7c8c562bf471c58a62c7792705e46bfafdb931551acfe4cfa519eb8f3
SHA512 cd9daff993e38299784ded6ab2670c87f802d403043ddf24fa631ae45e240929e632ec92ab683220f13bc9083d62acc04536db18d03853c7d53ccd45caf945be

memory/5024-29-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-60-0x00000000039D0000-0x00000000039D2000-memory.dmp

memory/5024-50-0x0000000002790000-0x000000000384A000-memory.dmp

memory/5024-65-0x0000000000400000-0x0000000000506000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a774512b00820b61a51258335097b2c9
SHA1 38c28d1ea3907a1af6c0443255ab610dd9285095
SHA256 01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512 ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

\??\pipe\LOCAL\crashpad_4736_KBEQAIQNFISVVGSK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fd7944a4ff1be37517983ffaf5700b11
SHA1 c4287796d78e00969af85b7e16a2d04230961240
SHA256 b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA512 28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0f115026424026322e0784a26c1ca49a
SHA1 4948ea4adc9694c343ba0e67844967995b37398a
SHA256 27326cca16186f66ead2965e5b660f95f89d48058334e0b7d416a00aa939edc5
SHA512 c0584ff3b1602354fc50739a580d2dac1d54fae398d6e61fe8c3aae61d7ca0177c0238e82c588a1bf1e8ba7e5f703701e34ca9f457b7283ac5c21f6b33193d5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1262e93911d902d3ef514a50d5f83c86
SHA1 2a3107f78f8a990a0a3505b8412fe5a727ab69b7
SHA256 97c4f2c261c97e60a0d2772476eed1ec786263edb76956dfc096106d71082c7a
SHA512 63474cdf4d6372ea0d8e947a5702ebbc107dea9fe192666c01de42be03125af00bac9d8b416fcd471e7157bfc4ffa0ec85d3962649acb087f51f77ca82116a52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fec21ff0237fdc9d85f98b326bc75301
SHA1 c720d45a53ce595ff82dde068301036d9d8c9077
SHA256 47672375030f92db0949e0928bd05fd957234f1aee6ae4a0ceb18179bf041ccb
SHA512 840e9e3e6a904b407d1d8533230e8cf1f3ff96344d2058af410bdcf9d9608ffcbd4d6d8c4733aa7a620bc253d8ff183758ca6076d5a83d1b3b81282e4b7c5179

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c7df2aafb08813aeff8a5a34fc6c0af
SHA1 30ed5496cc923ba0dff71ebdc1db59795a5b834d
SHA256 a7352db104747bd4ee7202c501bb75a791769174a633ac08dcf8d6c5f5281b92
SHA512 af9a3cce1ce3e72b2e2824b51bf85687f5471e4d98058b91a83a7f6e29d90d1319371e6ebeeaf11210305eabebb19cdb9fa7aef2d70648d617b0441cddf66fd3