Malware Analysis Report

2025-08-10 12:34

Sample ID 240403-pkltdsda4t
Target Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
SHA256 664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1

Threat Level: Shows suspicious behavior

The file Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 12:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 12:23

Reported

2024-04-03 12:26

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1580 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1580 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1580 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1580 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1580 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1580 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\System32\schtasks.exe
PID 1580 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\System32\schtasks.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 4888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe

"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN WinTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\p.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb299646f8,0x7ffb29964708,0x7ffb29964718

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN WinTask

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7D79.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7D79.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 1580

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3276 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 160.111.86.104.in-addr.arpa udp
SG 128.199.113.162:80 128.199.113.162 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 162.113.199.128.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1580-0-0x0000018529D50000-0x0000018529D64000-memory.dmp

memory/1580-1-0x00007FFB2ECA0000-0x00007FFB2F761000-memory.dmp

memory/1580-2-0x000001852A1E0000-0x000001852A1F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d6e17218d9a99976d1a14c6f6944c96
SHA1 9e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA256 32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA512 3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

\??\pipe\LOCAL\crashpad_4308_TXOTBVVCKOIWONQX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\p.html

MD5 4e4349147d3cbbd440f7f3fac5866fa6
SHA1 563cf45b4395e64993a84665efcb49b3775505b1
SHA256 732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325
SHA512 7f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ca212de6-7d33-4f9a-9877-3a1021fd55c8.tmp

MD5 55460361f6588dc4059d5f2eb85b8921
SHA1 1fbab74d5dace98a109a5f8bd1206af3dbaaa403
SHA256 d926f86e3b2868e3dd08c0288189ed6abff117d65ec19a3a571f8af11941bae0
SHA512 dba8689eed0629fc1267255f951218b2d630a5fb2a47bb6e0a5dfd11effb30e0667ca3ced8ec5183347ada39166d5708bc17b88c0742b2a5860aafd6ff71de55

memory/1580-43-0x00000185446A0000-0x00000185446E2000-memory.dmp

memory/1580-44-0x00000185446E0000-0x0000018544746000-memory.dmp

memory/1580-45-0x000001852BAC0000-0x000001852BAC6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 b229d4c9a7e4ebc8f46df752aed13a40
SHA1 9702483d3abfe7ac2be562636c085dd38a79c519
SHA256 587e08fca87ac738cf1e56754f4af8e6a1ed61fe0f171f31660df062d3aab39b
SHA512 36b7152859ccfe7a0c88b7f7f9d13cd47fb5c2857faf1295860fc1b50b092834166b4a4b4d3d2b8c5333f94ecd0c2fc79bedc305483b6ec8d310828c87d39706

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 e3b205ab3fc50fc281ec0e736bf9ef4a
SHA1 e0e852a15b94d6767c75273607c1a66a334b848b
SHA256 a4d78b8167d3cdf73c666dc72e1b410a221c2df127e1e0c3418d108a86eab2b9
SHA512 f7a0848a4d9b56b38c6c1cab3a6aaf517bd00ebcaef46d9495c0245b08a2afdd334d6e71174b9aa4caab19c0ad8ce007c00fb9a282837bdb2b62fce160a1310c

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 6969521b65999f8ccba1490f72b0e38e
SHA1 d513c0beb30eb56e013cc54c799a72a6274a3dbe
SHA256 771b56527440947270a03586f5918166cea77641dae4f84b2e8d40f6b3ef8c9d
SHA512 cf8ad240933ac4f0d02ee09e74f812256d20e5ca928deee8ba6f47b0d79b9ff6e14b6a0e775439a27e5c21293fa328af61ba1af522789c73fafc78de521a4e79

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 994ab2913fc03bc82b207207e9c91919
SHA1 733b3a73fb54ad842b67fb36951857c0ee5c3939
SHA256 3ba97883d75d8bcfc2afda0b93ce5210e2fc6ec2e14f5e9b67e947b4db2b10dd
SHA512 99f56e1bd72c9068ae46355cd53da594bdea419d6760d4f33e86c09579e06ea0bd5a4062c4f3a9f4bfb56da384e815f76b192209eab9fe4fc56ddc64510256c8

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 6c9ce2b15da8187d0dbcffc8c3ce2d5a
SHA1 1b86b6689481e107f9fdda1c4b0c0630fcf92fb2
SHA256 21528e763355a3de9699fbefb2812b453d5ee3cd9b223b851dd12a4c477e3d17
SHA512 559dd7bff77dee630400351020f261ee8f4c99eea0d897a78682323233176521771e085ff07e7b78d09116ce0a39576156b8d222f4b9cf8e7c4d2372b56392b4

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 837cbed2b4be007ce95efe8e46a58805
SHA1 38133229c9312d04028cc7ed770e398159c28ecf
SHA256 0a161afc75c851be1323f54eada70ea0168fd07aee3784de904ae7714a1197d6
SHA512 c47b21258da32424f5fbbcd8ad8ef7ddd883c431549c4454ea41cae793b64b80f9e547c6fcc17034ff4d0192892c76d1c86731b07316f31561dedaf79984419f

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 056095375095919a846b649e248cc09b
SHA1 d30401f41b8785d02c9bf0d654f55ecd8a9c9632
SHA256 eafe3a7736c73e57695f2006a46e484bb9a62b2e7564e70b48f7f76d4ce6d774
SHA512 f68de326e532146e4ab2dc23cf3d6466ba2437e288e41328cccdcc5710f6a83ee4f0947866e1a59fbba038fe339f6fa96b01a7595a909f2686aaa7575c3b816b

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 a3206f117c3471db2a954a3844d1e03f
SHA1 9521e2efee002e3248b64e4f4a7a1eb775a07872
SHA256 e158755293d05c918c3784c708a89cf75de5cc6376d4b1dae9e235a3916a7e51
SHA512 43b961f260eb05ced5214ce7508fcf1d2598a318ac7d3768ab829c6b5bcab5a6636e6ac8eba7ebd787e3f573cbe1b690c7b00b29fc00e839da9e57dbb35ca29a

memory/1580-215-0x000001852A1E0000-0x000001852A1F0000-memory.dmp

memory/1580-217-0x000001852A1E0000-0x000001852A1F0000-memory.dmp

memory/1580-225-0x00000185444A0000-0x00000185444AA000-memory.dmp

memory/1580-226-0x00000185449A0000-0x00000185449B2000-memory.dmp

C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\tmp7D79.tmp.bat

MD5 bc62b839f112ed1738746dde677c1c64
SHA1 8939e5cc1624e8c14938114e3adb6691558500c4
SHA256 343dd792d66683c6dfbcb44d4c6bddc46cacd556a6ec8279527202ba4ee69d82
SHA512 13ffe3abfa421bea484af0fbf2a7889c00b40dccb9c7fb71d362c35e955d4ca1b5e9ed669d372a9c3082ec744857243a4f5209957642521bf43b47632e3d2713

memory/1580-286-0x00007FFB2ECA0000-0x00007FFB2F761000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2fd9b2230fffa06d031cc26d1f58a27a
SHA1 72364c4ebed774ad61df8ffb934ee1bf4500de52
SHA256 142ceba8c9a6ba993e4da0b079f016cf89eb40f0bbf3c584114f8ae0a6f12793
SHA512 337d31d62c3414d35067b8dc82362dcab163392abecb1c4b093b420893d11fdd28c8d67418eef198a5de2d31a6ed2354dc0f1fcfd7890e6dcb2b2439353e595e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e3b15cccbbf91972ea46c7b10748dc51
SHA1 75f69939140d5b059cefae3fba32a95fd33aa5af
SHA256 23050f4dd3a28ee78d9e44af1fbea23f900409aebebe4abd71a5658588dc1960
SHA512 9671399dc5b8a901f4277814f5a12c3d75b2f093ff06250734c4791a083b98056f6a06b5eaaa01187b61f941794488852697ac3c5108b1ec2a46b638d9ad8655

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 c2ef1d773c3f6f230cedf469f7e34059
SHA1 e410764405adcfead3338c8d0b29371fd1a3f292
SHA256 185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA512 2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 12:23

Reported

2024-04-03 12:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
File created C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3039dedac185da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418308897" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000007ae0524e71ed9546285f40e90c4b7563d09408dd8472f261ec6c3231d310d02a000000000e80000000020000200000008668643dd3f41b717374207326449f33ab159e015284c49cccadb635b7c996f62000000052d06e14be5e4557f5302e827b44e9303c91784037bc8ba861ce4356fd8602ec400000009753787c5b770c05d87a0f28a4cd411ababf48a6b1918bf1ca1c60d9dd1f08756fbcc10d571a07df5091030516c7d43c6a1dc71a674fa769178944185567ca4d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0609EB41-F1B5-11EE-A1D2-729E5AF85804} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc50000000002000000000010660000000100002000000017dda145fdec5abb00dbff584b79ef6b55e66c31ff5c0d5ead5180da43867727000000000e800000000200002000000076e5182cafea0be33ca05147699e19d9e0a5131ea434f36acbc2c00a5e18318a90000000584ea5af1277737d0e62c2a5fb7198c6b682a189d29739f42deb02130c17abcb63715cd904c0ef839df2a8cc5169a3144aea44b0fc7e637bb55ad6a57552ee848b9b8a50877ea6b8d59049bbf83269c66eeace0ef988146c594dd52ddfda1300bb21f681e6e3aa8ee77c1e772706b408870a09b5577984a1ee3b220fffa736c679422bbd2145c535c239b1aec3d0494a400000003c707b7619106678dbaf5f6cbdc2f7d9a355b2c989d65806225444c4fdba66c7dca7fd67cff44de8160df771f3df31ffdca4584aa5b3e40d73281f09fae8a280 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\System32\schtasks.exe
PID 2120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\System32\schtasks.exe
PID 2120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\System32\schtasks.exe
PID 2776 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1036 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1036 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1036 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1036 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1036 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1036 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1036 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1036 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2120 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1164 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1164 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe

"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN WinTask

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\p.html

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN WinTask

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 5

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
SG 128.199.113.162:80 128.199.113.162 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 104.86.111.153:80 apps.identrust.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2120-0-0x000000013FE90000-0x000000013FEA4000-memory.dmp

memory/2120-1-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

memory/2120-2-0x000000001BC90000-0x000000001BD10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p.html

MD5 4e4349147d3cbbd440f7f3fac5866fa6
SHA1 563cf45b4395e64993a84665efcb49b3775505b1
SHA256 732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325
SHA512 7f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440

memory/2120-9-0x000000001BB10000-0x000000001BB52000-memory.dmp

memory/2120-10-0x000000001BBE0000-0x000000001BC46000-memory.dmp

memory/2120-11-0x0000000002540000-0x0000000002546000-memory.dmp

C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\System\Process.txt

MD5 c8ebdf62cb27649e98698e75c49e3cfa
SHA1 09eae9b9482edec7ddbe0ce9f8c005c1d45be918
SHA256 bd7b68187d79249365d02c5934eaecf7a4e20070627dda7ba9cf5b376f0cee5a
SHA512 faf7eaea3ee9d3fdea43bcdef2531ae1b4d1707cc8ceeef03c6c66b8eae2d9c13eb5c02638653f0666c2000cb3902e9e93bf2d88fb27e330b3b7ff2714a31ea7

C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\System\Process.txt

MD5 c738ea0e48edf8ba3e3fd8b518fbc23a
SHA1 73435ef5e933ade3496f1dbe2166552afe0c9a63
SHA256 c6ed8ace309f8c8f93dc9e4356f5d109d5104bb5405258de2bb420d7d2be04ae
SHA512 6e3c39d925dbbbeee579cdcf9956261ef1826617d34cb88eb55b34feca6caefa508e6d9fe59dde70699d2467cc7164e96f78869c73fed0f1af401cb2ccc50531

memory/2120-90-0x000000001BC90000-0x000000001BD10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab958C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar968F.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6f62a3a55b5ebeeeaf95ced6d18bb4b
SHA1 b9e5aa709282ffe2449e9af6f5d2d9ce4647ac07
SHA256 519c9c878a95fc08624cf3021c60b0d35c023e3cc6f4e7fcd4bc74eb9d00ad3a
SHA512 56ddf41c3878e6225d23c139f5bfb1c8b33dfe2940ffa9a5afa5cfeeae5fab2a6371600afb4a1f4f1a4114c31f2a06817a98cf7b1783c09db693ccd5a2f289c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203ed968e54727a998efbd47ff6132bd
SHA1 0d5bd57ef0fb3fe7b8c86ce1ec883a4c1655f3de
SHA256 4d424f5e6a76c61125d5f82a543ab94aa8f3b6fd3d3817a01ff795ac673aaaeb
SHA512 7b354da1c32ccae1e0666be643c1d5004a92c9a2e17a1c72ab4984b3f1f116727f0f33ab114f353f15bce78318374d8243906d30986aa82b50ee94457c2caa6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0255ad40ac907ab578772e67070715f0
SHA1 02fa7244139392bd779578f9b2df7b136b8b540e
SHA256 fe25190c82f99f746688d79b0a9f9c0b9e46b06d764b4e8d7f40f5d373cf6331
SHA512 9fa8303db8fe6235764aefebd2dbf79dbfae27f4b8d167c73e170379bb17110eeb1e0f3a6adc27b25e14af74fd682d77ada3b91dbce206821bce3b3e370937e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a817b3818c9f39865cb637d7e77885ad
SHA1 434fd76b408f9bd860c5bb3704afe595ca46ec4e
SHA256 b029faf0aaccb16205b2c5ea736e6da38185a4749b6218c2432099f2a80d752d
SHA512 8ef6d26cebe20a55c3964041f741de53210bed133dd3e531e6eed9f0880b5c5f1ac4a4f3d851da7e3fa38b83e2c23c05f4393a4259a096e6073cb223a801eb88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9adde5134e95231438986213afb6f46d
SHA1 46978163c31bb7a702e53b323d64e1db92886574
SHA256 80aa1620f48c541750723d1526fcb473569f4a177f33a5a571fccfed0271e5d1
SHA512 93d1bd7c5a85d02c7dde19d2fca78d1aae92f37973998a729fd75c8619bab84a08c765f08d04e2c39c04f8b2df989a7988769cbc457aa89733645227eaa1354b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 549c9d27191f1c32a6f6d34f1a22cc6f
SHA1 c8471b784826e7c1036ef9646ff0e8b6ce5cfb19
SHA256 c14df1b5e30c605a21a141a742326fe84b8f4f4322d3d079bea510605cb9c8b3
SHA512 e6e73cc71aeb51ef2aad52be17ca73bbd95e097f11a92f2f1a14db0ebf05d2df75b7b087cbb292c3adf02dcd6ccbe14d845186e4faf7d42e2ac43a7a0738e479

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bb227591a4e1d2ce2f78bf3bcc19322
SHA1 74ea9db5f29d3c78fca3966f5d2a2dc03147bf0c
SHA256 0f707adb5e9873c90693639847367739a2a8ad5009d9f366330ebb5e0a14bcd8
SHA512 a1f066451171310cfd341f321d8f9ef094a65be312da342512fb4290d85e99f7f9cb4b66b743acefdc1415a235916a4eaa20016744a6d308dc5dbc9d89903010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2aaaa9c738c6dd16b7c88ab9813472ee
SHA1 bd20775dc7ed0befd464d8c6cc540f68821f8c89
SHA256 a96da63184c63ee2ca42d14427cdc62f534999b57d4e63caaacd6c048f8f07df
SHA512 0ee3aabb3699c562e7db60be1e69f0022d40645cb6b6a2d0a34ec40a4ad87fd607434c86184d581806cf95af1bd0a1f5f0e57fae1fcd0c8cf0390101d34eac08

memory/2120-567-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3f23bea379229746ee975c59ce0f170
SHA1 7a50252b6a25f13466c4ee49c8ea698d9f0598c1
SHA256 c0dba06cfa6ab4782d939f97d13bb7cccff9db74e8d0458eb2a0f88094f79f1d
SHA512 6ebe8a35eadab269116810a54e565d234b475a5ac6b60dabbdf850499ab686466c989aa20a84cba1b5088bdd13e348fc7b7d2167ef4c0c77691cd1a46b8e439a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 770c2796f7c85990ecd78663979b14ee
SHA1 65816782d02c2ff38b0d3af24cbf48cc8faef4b6
SHA256 e660eb2983de0f736d905e04c00f1d3e92610b4331de043c565f9cb205551d11
SHA512 773afba40447630e532f1f034e0241ce823f71835af3d7c087be648ed9474116f19fa9773a87d211fc757f9300476e6ca502b37aa2b909648eaa20fa3c4a9b6d

memory/2120-668-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d898fdacd7215eb68358ffc51ca7dd8
SHA1 eda997e56ce8edb922b1439134d7b59016316d2e
SHA256 76d3a0f3739c0147c6d169aeb2f0e3ef5d70e557acd82a92a6f6e2f03861dc30
SHA512 8bd7d97b87cce933027965fffa62b1c33b76a687aae7c54eda171b8b9adfcf11b6f577265a48d1c4f7fd584acb778d40693cd533bcf0b159973482da710a9415

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3adb47b1aa80661c8cdceeb6363c965f
SHA1 27e3687c6522c6b39ec65cc776e99135f8cba6e4
SHA256 81fa41826afb4303517ce79f5b696dceb90f0e6361ebadac0f0339266b94ed6f
SHA512 0f3871f55875e4622bdbf8181ed133f098cd28ab1d1256f088ddf03e3049366a3ad0a247b24cc75a6944bdebdc7006359422723104dfc6a85d60fb50bdf1af5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41edf74f2e196a5b23ca4c112779ff77
SHA1 567c7039a4aa2658ca0d85aa22b1c4b71454505e
SHA256 a8812909a54022cff9ddfb0d45205f3a17b06e800c9ccc3ccfd2d9b61b985b98
SHA512 e79c2c3c978ddc908abb765a523f7cb57197faff413f2ee857e42380865f686e6e8b91a84662473bef2304d4b345b82a708453997361e081e082e2a54f8ea242

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19495cad195480681e6ed240822b9d0d
SHA1 4efb5abde4fc57ee1fcafed54e5509a1a7e6623e
SHA256 66f626941c433dbb99bdc77482e19944391d999fc4482910fec55929e9470fee
SHA512 7aa48a739e35dc1b94f22b55e3b646dc634f8b5d23708376fffe95fd0106a21bdcd6316ed77f021aabc82f5cf407be2e11657113a259e0503bc48b76b3554433

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95d7143e34b27b5f895bf668ac8527f2
SHA1 a7ba0c66474183ec50d92e34d089dc9465750fea
SHA256 9cd61612e871f14aadde8d5113c8f89e49033febdfc42496ee2b7e8f3899361f
SHA512 8b677d0056ee8f71fc9abb0501a376d4e2633ccf4582cf2732c5e4575dae02e61d7ff0e401f21e9179dbfba6b83683290bd410f028602cbefaf128e0803df9a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383464e6c55401166e256f6eae1c37dd
SHA1 2d60ff2c112cfa9e275a3f385ad30e33b98bb5ac
SHA256 dd245490ef1f6cf305f3d067f06a5eb6888d53958ebf6858a69c23b24bab2f36
SHA512 b9ffc8b81d97c631b047d5de1f7ef6309afd3886a54f76acfc61fb43b3e612440e9a5d187ffe160b788a23cba93c8e4925e7e23df6668982b89af1ecd1d24a30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b7647896d9c8d7916b8da13a0e04c80
SHA1 d150d9c0de2b10b41cc7ba46e8d03a805abfe178
SHA256 1ab72677fa6cbc1fd13faa6b6726654d741d28e8c3261027326fde238f8f77a0
SHA512 ad19f13d1a74a8419e1bde6fd84525b39b45627930f4d2321f4b5649124951dd4dba200b0710bb52f852beef0498f8bad3a0cd651379c294f1b534c681035c70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 103601c828b3443e5f1b0ba7de0ead77
SHA1 71e3caf4fd380661a6825b0de4c05e5a9c9aa89b
SHA256 e4ad91e8a808a156a5a7c39d828480be641973c976527448c2086c6c182528be
SHA512 50b9144e5627e5670b7eceff93ce4e44db410728532fb40de435ea66aec2736a2b7ffef2b73531677f53c5afe072b207da9a5ca154f5ed7a9062afffb225c2e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a41211d403cf63e53180c8981739c112
SHA1 1f5b04fb4b0b0d468854b3b1d7fb8d89823662d1
SHA256 0effe26d35c67f4d7c9ce2d8361722673c089b534350d624780c573036c2c1b8
SHA512 ec83fb32e14b5f48cb9c8caf6fb6700d442d21811fa86d0fe96575539b08af0bb35de234ccbe75f84820af51d4ca99887dd3e4155646d02a407459d27e9836c0