Malware Analysis Report

2024-09-11 12:58

Sample ID 240612-p2k87aygln
Target aspweb88.exe
SHA256 bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4

Threat Level: Known bad

The file aspweb88.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

Windows security modification

UPX packed file

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:49

Reported

2024-06-12 12:53

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\taskhost.exe
PID 1264 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\Dwm.exe
PID 1264 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\Explorer.EXE
PID 1264 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

Network

N/A

Files

memory/1264-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1264-2-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-8-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-10-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-5-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-6-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-26-0x0000000000750000-0x0000000000751000-memory.dmp

memory/1264-7-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-24-0x0000000000750000-0x0000000000751000-memory.dmp

memory/1264-23-0x0000000000740000-0x0000000000742000-memory.dmp

memory/1264-31-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

memory/1264-32-0x0000000074EE0000-0x0000000074EE9000-memory.dmp

memory/1264-30-0x0000000000740000-0x0000000000742000-memory.dmp

memory/1264-29-0x0000000000740000-0x0000000000742000-memory.dmp

memory/1264-27-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1120-14-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/1264-4-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-11-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-9-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-28-0x0000000001E50000-0x0000000002EDE000-memory.dmp

memory/1264-38-0x0000000000740000-0x0000000000742000-memory.dmp

memory/1264-49-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1264-48-0x0000000001E50000-0x0000000002EDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:49

Reported

2024-06-12 12:54

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\BlockDeny.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 1992 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 1992 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\dwm.exe
PID 1992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\sihost.exe
PID 1992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\taskhostw.exe
PID 1992 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 1992 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe
PID 1992 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1992 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 1992 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1992 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 1992 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 1992 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1992 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1992 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1268 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://127.0.0.1:88/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffea68746f8,0x7ffea6874708,0x7ffea6874718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16916221588738328430,16578026682838845743,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2912 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.netbox.cn udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp

Files

memory/1992-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1992-1-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-3-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-9-0x00000000008A0000-0x00000000008A2000-memory.dmp

memory/1992-14-0x00000000008A0000-0x00000000008A2000-memory.dmp

memory/1992-8-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-12-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-15-0x00000000008A0000-0x00000000008A2000-memory.dmp

memory/1992-11-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-10-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/1992-13-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-7-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-6-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-4-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-19-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-20-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-21-0x0000000002380000-0x000000000340E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

memory/1992-23-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-29-0x0000000002380000-0x000000000340E000-memory.dmp

\??\pipe\LOCAL\crashpad_1268_TDDJSLEFMOUZCUHX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 65327cd360eed602f9961b20979477dc
SHA1 e091a0ce1456af30d9025afbf746c623a2bfe1a7
SHA256 4a81ed3b471745c9c2110d28d615dc0d773d52be372e479c3e13d9cb64f638f6
SHA512 5d8e45b625301d0236154e93f40d7fbceae24c7edb8ec03892799adcac3f9e8cbb4cc93c5bb6021978d09fdb1da4864a5d07ff73e2132cc9fcdeed5fd1bc2541

memory/1992-47-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-50-0x0000000002380000-0x000000000340E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1992-72-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-73-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-74-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-79-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-78-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-84-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-87-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a90d4079f6941d0a3c0c091cf674512
SHA1 3f84febcf53f4b70355f920ca303307154f9e0ba
SHA256 1f7f32b9431d7def384458391e0ff082b2071e70c30b76cef44c439dad24a79c
SHA512 2634e734da2a44f46f07d0d9bde2ab211b3aa796710419d9a0b893573781b26c764946621916dbbf0262d1827519f5000016bf87186d71c50e30851063199dff

memory/1992-94-0x0000000002380000-0x000000000340E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3daefa871768864afde8facab427921d
SHA1 99e69562ee13a468e9f64a5a2b60a6e44c9bc53e
SHA256 cb23b9ae31864b0385df47268c56d54c59be06af02158e27cb39e750da525599
SHA512 82bdbee6d9e2d7db27d4af995e20106393001fbc51cef89a9ba08b66eb9c90751fcf8d39c80689a6960d157d61fac6475437b01b5dc5902bcfc4ea0bfbc27b80

memory/1992-104-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-105-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-108-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-109-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-110-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-111-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-114-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-118-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-119-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-120-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-126-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-127-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-128-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-129-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-132-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-134-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-135-0x0000000002380000-0x000000000340E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3893ee27a1b0c04e96660c19012f506
SHA1 79a665d9c637223cd5be73145b8ea3c408b9ed82
SHA256 cbbca672434a0361d5bde0b9277f4aecc7e59837c932a464e0298372eb463201
SHA512 e47316b11212cc0c5f1204b65ed83d99f0319909c47204c82f56cf7476fc3e8f878852b85281f402396fec6840625cd539b5b9f7c6775791620756fb62632014

memory/1992-154-0x0000000002380000-0x000000000340E000-memory.dmp

memory/1992-156-0x00000000008A0000-0x00000000008A2000-memory.dmp

F:\pujt.exe

MD5 b60698c7a64cf47f933d6447c22d1157
SHA1 ec43c02d63eb56eed7a47f9c40c568f7dd4bb946
SHA256 09beeca5167b06475abf661607240acaa26a76952faba24567a6ccb4c39785af
SHA512 39c445792d8c3cf0d395122a654c787f0a8c2370140006584bdb8a1b18ffd90e677f9b6852ade059144d14f05568eb0d8652e7a37f9b82c9dbe4ea51d21ae30e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 12:49

Reported

2024-06-12 12:54

Platform

win11-20240508-en

Max time kernel

121s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 760 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 760 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\dwm.exe
PID 760 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\sihost.exe
PID 760 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 760 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 760 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 760 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
PID 760 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 760 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 760 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 4564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 4564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2784 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://127.0.0.1:88/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6bc3cb8,0x7ffaf6bc3cc8,0x7ffaf6bc3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12539010248335622985,13252650087625602431,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4636 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.netbox.cn udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
US 52.111.227.11:443 tcp

Files

memory/760-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/760-1-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-5-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-8-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-6-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-14-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/760-11-0x00000000038C0000-0x00000000038C1000-memory.dmp

memory/760-10-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/760-4-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-7-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-9-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-12-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-17-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/760-13-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-19-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-20-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-21-0x0000000002520000-0x00000000035AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

\??\pipe\LOCAL\crashpad_2784_JXROZVPYLXFGNWVZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bead3e8789069e65c1f97241bffe5f5f
SHA1 6af7312a625d94633c22e1636ed692056cb10cb7
SHA256 93f8b51727817b29f3d8ecb746eaa97f3f319fea28f7532af872142822769d1c
SHA512 f53658d72f4b2ed9599bfcc4fd5dd290766fa82640c09d4a4455505e965e65f6a17b331fc9d489fce00615b10887bf49bcd7ca14e627e6f0cbe0bfc43fd59eb9

memory/760-44-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-45-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-47-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-48-0x0000000002520000-0x00000000035AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/760-71-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-73-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-78-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-80-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/760-81-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-82-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-86-0x0000000002520000-0x00000000035AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b20803bb469422c0726b61b3d3d5a823
SHA1 4d78182a40852ec9e53419c1e8b84fa0bde051f4
SHA256 2abb846e65eaeea73be5352f3b25a4185179948da82689b2ce43e9e615bd7518
SHA512 0af121526fc0c72bf3b094a95a979ff76057d56040f7fecee49d9d9b85bc8686a7bcf32e6968ea6d04dab8983a086b2ef9f5c993403d0161ade79bc880258984

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b5211d9b1b26dc0d8d594b90de19049f
SHA1 27b6cbc374a4fdc2e24766ed21feff1e03ae9567
SHA256 c98287c6bb2f962e1e65b9be8337136f63ce8e56a8ec8780012ebc3b80a2ac9a
SHA512 669e109f5c9cbb3ff65062567d800894d8d75c32531370b27152bedd32a1b3e926e2fa788cabd716e3c237374c228cb9a9df354c29fe4589d407f96401eb98b1

memory/760-101-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-103-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-104-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-106-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-109-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-112-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-114-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-116-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-117-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-119-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-122-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-130-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-131-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-132-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-133-0x00000000038B0000-0x00000000038B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 211caa6657d841ce34748515a5dba032
SHA1 37c7cd8a4d398501229fe881ced61b2c592bbcad
SHA256 2f7dcd0e0446b98594b635c0cb88aa281c3caeab6f67aca942fc6ea1b7519bb4
SHA512 ba98e6be532869b439bb6aca0c7cbe16a710febf919ab85bd89b804cefb8d9aedec5c13f3d129bebe9ed0718f983ce0f30362ebc1978e934ab5b43e001cc3622

memory/760-135-0x0000000002520000-0x00000000035AE000-memory.dmp

memory/760-155-0x0000000002520000-0x00000000035AE000-memory.dmp

C:\ahqdt.pif

MD5 2603a0586df330892ae16f73c2f8ea0f
SHA1 d29cb0bf2677705a9508f964be14bc003f5c9ae5
SHA256 8a0a9cfdf8312bf9b458de7b4f12674796c56ce4f7a4d0504bd7484e0addcdb0
SHA512 eac35ab8c30d3f64df372ee1a0297b49e0e8e6e2427be513a8896374cd04439105169f52d15dd4e1822f1bf2b98acc372fd98881fdf1a7a9f2c9d731c7eb88d3