Malware Analysis Report

2024-09-11 12:12

Sample ID 240617-bh4pjaxckc
Target 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe
SHA256 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632
Tags
sality backdoor evasion trojan upx bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632

Threat Level: Known bad

The file 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx bootkit persistence

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

UPX packed file

Windows security modification

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System policy modification

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:09

Reported

2024-06-17 01:12

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe

"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"

Network

N/A

Files

memory/3040-1-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3040-2-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-4-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-8-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-12-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-11-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-7-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-16-0x0000000076A50000-0x0000000076B40000-memory.dmp

memory/3040-6-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-5-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-13-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-15-0x0000000076A50000-0x0000000076B40000-memory.dmp

memory/3040-14-0x0000000076A60000-0x0000000076A61000-memory.dmp

memory/3040-27-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3040-26-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/3040-28-0x0000000076A50000-0x0000000076B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:09

Reported

2024-06-17 01:12

Platform

win10v2004-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\fontdrvhost.exe
PID 4720 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\fontdrvhost.exe
PID 4720 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\dwm.exe
PID 4720 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\sihost.exe
PID 4720 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\svchost.exe
PID 4720 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\taskhostw.exe
PID 4720 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\Explorer.EXE
PID 4720 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\svchost.exe
PID 4720 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\DllHost.exe
PID 4720 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4720 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 4720 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4720 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 4720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4720 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 4720 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 4720 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4720 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 4720 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 4720 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 3340 wrote to memory of 2000 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 2000 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2000 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe

"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

explorer.exe "http://localhost:80"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e4f846f8,0x7ff8e4f84708,0x7ff8e4f84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3877297160582736254,12420052611380598045,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.netbox.cn udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/4720-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/4720-1-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-8-0x0000000000600000-0x0000000000602000-memory.dmp

memory/4720-11-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-5-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-3-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-9-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4720-12-0x0000000000600000-0x0000000000602000-memory.dmp

memory/4720-7-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-14-0x0000000000600000-0x0000000000602000-memory.dmp

memory/4720-13-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-10-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-15-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-6-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-4-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-19-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-20-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-22-0x00000000023E0000-0x000000000346E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_2000_BPWUJINDZHZFAWNS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 79b1f1d79d10ed33bda6fc9d2622b33e
SHA1 b33fe1f8d1f724cca564b91b36d4d4f367135420
SHA256 06dae8a3edca995d17d4c338532e59d57876f4a70683e507577e015e1e99ed41
SHA512 d5776607015167986b2b50ffd53afcc9f7b0d9b0516890747e2a99aa052db73b69a1dc4b1c23c68b9dc7709999fb630a07b771b2c5a3450f39baaae60ae43e83

memory/4720-44-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-45-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-49-0x00000000023E0000-0x000000000346E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4720-68-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-71-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-73-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-78-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-80-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-82-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/4720-83-0x00000000023E0000-0x000000000346E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d01857e75f28c31022d0b88eebd8c11d
SHA1 dbafb73732747b535a1897d66e9a23a812e0c51a
SHA256 e873e73b4343a81b517a889c4e5c97d97e44238e04c749aa2c6be226aceba30a
SHA512 4be71efc36935895b3880c5147c45a7b6eaf1f2019394b539529cac623898c78156e8fa86fb4b860c2685b9303a0dd5db243fcc0bb00ee99d778cc0fcf3b655f

memory/4720-91-0x00000000023E0000-0x000000000346E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b3cea08eeb0bb906be436ae305a85f6
SHA1 0a67a4774b1e7e7086a8ffba959eeedde8d3e0df
SHA256 64988bf463318a0d7b01e126b353981559c14f6f2be7d4928978fb15c2e5e775
SHA512 f86fd6a775b07a376011f9322630c033b26e5bd60895f8be8f1f920f0408cb5a7f8c56f9620ef9b80278791f78ca8cc3d19316e7ce9bfdd7a924d2df6c5271ad

memory/4720-102-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-105-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-106-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-108-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-109-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-110-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-111-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-113-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-118-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-119-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-126-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-127-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-129-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-131-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-132-0x0000000000600000-0x0000000000602000-memory.dmp

memory/4720-135-0x00000000023E0000-0x000000000346E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0e7de1fd02f24acd6eaa813e69e9f5c6
SHA1 18230a1dbf6499a2e0651196a425f4aebcd1f1d3
SHA256 cfcd64c32bd282e2ff61127a70c9d9cfd3b814037fd24c476ea42e0450d33c55
SHA512 3491677ac14c05b73c4b75caf901110bf407cd68a5fdc528bb7e3d62c3cd92172e00b54948193dd986c1c6b2a77a0e9ca830b31e0846d2bf9c5087b7e504e684

memory/4720-154-0x00000000023E0000-0x000000000346E000-memory.dmp

memory/4720-155-0x00000000023E0000-0x000000000346E000-memory.dmp

F:\vncwh.exe

MD5 8d4f64a0f4ec6f5b7796574f43a9451f
SHA1 a15937182d29d2a8c5182ae56c0b753f7895ae0d
SHA256 d36d31e4ea49ff7e913f68a889520f1544e9f7df037c288ccdf6ca1d49471415
SHA512 643288ac8739e661948b013b12202c8ef789bdd8418dfd706646c47ab00bd19e0972ad7c3e0c608116d022db2c1d0187985636e08b446bf199bf0922d28da688