Malware Analysis Report

2024-10-18 22:17

Sample ID 240625-felf1avbnn
Target f95f4d17abbcfd64a5cca639cd4c47620955435db9a2c63e1b68a6b74bdb1e77
SHA256 f95f4d17abbcfd64a5cca639cd4c47620955435db9a2c63e1b68a6b74bdb1e77
Tags
upx qr link evasion trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f95f4d17abbcfd64a5cca639cd4c47620955435db9a2c63e1b68a6b74bdb1e77

Threat Level: Shows suspicious behavior

The file f95f4d17abbcfd64a5cca639cd4c47620955435db9a2c63e1b68a6b74bdb1e77 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx qr link evasion trojan

UPX packed file

Checks whether UAC is enabled

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

One or more HTTP URLs in qr code identified

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 04:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 04:47

Reported

2024-06-25 04:49

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\dControl\_____.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 904 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4888 wrote to memory of 904 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 4504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 2132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 2132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 904 wrote to memory of 3624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\dControl\_____.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.aichunjing.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ae746f8,0x7ff86ae74708,0x7ff86ae74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,2480224526789134548,14765866172765742938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1360 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.aichunjing.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.aichunjing.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.aichunjing.com udp
US 8.8.8.8:53 www.aichunjing.com udp
US 8.8.8.8:53 www.aichunjing.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_904_VEZJQFXHXOPVMBGU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a41ddd12dfc4b90bfd195723c3bdafb8
SHA1 c70219764885f47e0747d5aea6acff0bea1148f2
SHA256 d7c136c1c9d09c36d426f59a81b4905f5d772f7a46e26533692faed458dea6c9
SHA512 afb304f242298fab2d05581a1193266a6af6c573530f29d504d85c22a3ff66a344c6249640a79a32403a1e0866ad0e26da5e563b9fa32716aa380a24bc0eff6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 26f835770d015ca576608edfab51b8a9
SHA1 e8822a0883f532a6f6439c48b81aa8022aee80d9
SHA256 93299213061cd3efac64edd856f5867e5a5f92be1fdd42865b4ccaa623bdbcd4
SHA512 05906c38515cb8e92f29e64cb1623f6dbd0bfdf8b90130bac2f03c82f31db9a5368008baa44af10c38f5f2f2c6ad734a20bb215de936d424004bac35a514828c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dc179b2068023fc97c23d8cc9a1d315d
SHA1 f64f5401be1a1d271d67ac986dd52f73a72497e8
SHA256 a94836ea6ad984d8a6e18c81d1a0f0c1e36d2785bb50b3e2337dc05ceb555b18
SHA512 d13a047e2133b386a4c50a4a944bc077510992e526f0794e120b29ec5495111f41870f1989787b966f016cc070106c2e550c0a865c8433553d035633cc810b56

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-25 04:47

Reported

2024-06-25 04:49

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240625044713.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe"

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe" /TI

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240625044713.log C:\Windows\Logs\CBS\CbsPersist_20240625044713.cab

Network

N/A

Files

memory/1904-0-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1q9k0m4g.tmp

MD5 3bc9acd9c4b8384fb7ce6c08db87df6d
SHA1 936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256 a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512 f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

memory/1904-22-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2720-23-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2720-45-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-46-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Windows\Temp\aut1F36.tmp

MD5 ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1 d41567acbbb0107361c6ee1715fe41b416663f40
SHA256 9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA512 7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

C:\Windows\Temp\aut1F35.tmp

MD5 efe44d9f6e4426a05e39f99ad407d3e7
SHA1 637c531222ee6a56780a7fdcd2b5078467b6e036
SHA256 5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA512 8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

C:\Windows\Temp\aut1F34.tmp

MD5 9d5a0ef18cc4bb492930582064c5330f
SHA1 2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA256 8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA512 1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

memory/2620-67-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-79-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-80-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-81-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-82-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-83-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-84-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-85-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-86-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-87-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-88-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-89-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-90-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/2620-91-0x0000000000400000-0x00000000004CD000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-25 04:47

Reported

2024-06-25 04:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe"

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe

"C:\Users\Admin\AppData\Local\Temp\dControl\dControl.exe" /TI

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/3380-0-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3c3a8x0a.tmp

MD5 3bc9acd9c4b8384fb7ce6c08db87df6d
SHA1 936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256 a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512 f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

memory/5108-21-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3380-22-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-43-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/5108-45-0x0000000000400000-0x00000000004CD000-memory.dmp

C:\Windows\Temp\aut473A.tmp

MD5 9d5a0ef18cc4bb492930582064c5330f
SHA1 2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA256 8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA512 1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

C:\Windows\Temp\aut474B.tmp

MD5 efe44d9f6e4426a05e39f99ad407d3e7
SHA1 637c531222ee6a56780a7fdcd2b5078467b6e036
SHA256 5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA512 8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

C:\Windows\Temp\aut474C.tmp

MD5 ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1 d41567acbbb0107361c6ee1715fe41b416663f40
SHA256 9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA512 7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

memory/3160-66-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-67-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-68-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-69-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-70-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-71-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-72-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-73-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-74-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-75-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-76-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-77-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-78-0x0000000000400000-0x00000000004CD000-memory.dmp

memory/3160-79-0x0000000000400000-0x00000000004CD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 04:47

Reported

2024-06-25 04:49

Platform

win7-20240611-en

Max time kernel

127s

Max time network

129s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\dControl\_____.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD68D661-32AD-11EF-A05A-CE80800B5EC6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425452701" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\dControl\_____.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.aichunjing.com udp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:80 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 112.50.95.196:80 ocsp.trust-provider.cn tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp
US 8.8.8.8:53 hm.baidu.com udp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 183.201.243.134:80 ocsp.trust-provider.cn tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 36.248.38.196:80 ocsp.trust-provider.cn tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 140.249.150.23:80 ocsp.trust-provider.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 117.27.246.196:80 ocsp.trust-provider.cn tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
HK 43.155.96.87:443 www.aichunjing.com tcp

Files

memory/2252-0-0x0000000001D30000-0x0000000001D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2464.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2486.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca81d9ced938998647d820e7144cb122
SHA1 1f024ab00ad8e27e9392a8c9149f7997211e62e4
SHA256 5babcb5f82a00fd950bffff2f07ad322daf6f06efddd5b1c3c7c9f69e694f3b7
SHA512 ce83dc1a652f953a1fa86d42eeb44f3f4cc4704a9c111efa25ddbaeaf644a06a9462cc9543c25dce9818cdf978bb645c21e5f349c1b42b4d93524338ad1b01b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39205137a49e2fb167ed1880a2f63ba0
SHA1 a41778883481bb02a0cc3d9a4db0c896003f352e
SHA256 e3a4bc5f96cdd0039779b24242486b88d7095dab29536d1dc9452412862f2016
SHA512 b1d875505d168dedb48a0279af8bab21240422f07696db8443b5f98e6c8f00a28b229984ffc0e7876d8c59988f142673cca3c8b639a02e5392b6df8d0d86fd17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17fd072fea3f49383db5295918b30231
SHA1 427de57cbb94bbb51fedd70ef8b106d4a3f490a7
SHA256 827d650f19e43fc2fc9e5d87d6e0e33464375c3ae8a74340855f6d3603056a93
SHA512 8a682141f6f01abc299d1ed9fddbea12a31179541b0dd72ef6168a75c87a728373367fd884505afb294a776a8c7baf285363845c302509108924a215befaa239

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5020265e66a75ac9afb50e895bc496e4
SHA1 f1aa51ae6610eee2e19b5589a4b0f5885c9c56c0
SHA256 5fa354793b7c82d262bc0e4deed31899f8d99d2126caacfb25754510fbad36fb
SHA512 10d416492b96d2aa51bf71cecb6bb2b653cacf624c5686e854871ee0552143315f026d733bf4643d51c320c02d1fda723c679c3a8526df7c168a670d83920ace

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b7cc9e72234ccbbd5d3798b49e32575
SHA1 448f4e46b5d1896b871ada8636f5c5519ea53f4b
SHA256 a4084a861e681ad717a98ceccda8b55ab319d41681e7cc72bccf6ac7a0efa0a7
SHA512 c8c1e695639a54e3a0cb12d5447cb0cd68ba346e1aa7a33584018cf29e3de92fe1998b4d79afb88edac1cfcf5756c72b0629ba225940480b5621d94f45878cc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ccf7b3651ae3deaa0a2741e4fb8f653
SHA1 9f1ffb9f1efe3a417d4611110b67c063f42c9dea
SHA256 f5dc15390ed2140a8032cf2bf946da19e1dc1e2b75ef122c3e6134035eca87c2
SHA512 f66dc58a57ea66cf535ea3a2599b6692ea7a1b5ea38b7a9c7e2f292ae3ab556b79b1c611e21a9aa15808f9a32431b5178b269f0b3d2d5cb5b589dca9bfccafac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b8499325fa4f529b2d0284c9dd39eaf
SHA1 8b1710393e3cab3e2ef90b6c9fb5b9d19c14ac6f
SHA256 423cd1fe3abf13a8515e94439bccc15bfcf61c34cb20b09396ff350e994554d6
SHA512 a7963458e62648aa63c7767e8e5a061b321fea923c9701c63d205ff953ee8a064e3cac8939732a77426ba626f16a70dad0388f8f0ceb03084d2c237ac6fb2f95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4186081d87e7247ad41cfb550912dec8
SHA1 3966d6d7bf988478ea2b1d75c45e612633b9bea1
SHA256 0f608409096786b9f3d3f3e4a56983d557bfb8ff41b8b2b0857105ad3a540953
SHA512 3becf069b1cce6d8ab1fde69f20fa6299df50b1a81223b673ae51bfe662336e87e625c92967dd40fa8191542dbe6103f02fff953ceb6453822889902fcee7c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f7abe90fce0f32991a47de5ab579cd6
SHA1 0b7d18d58a2c810f111792d4a4d9814862dc68a6
SHA256 372adb9e73806aa314468a62b7c38f36e4607a57956403e93be60a7601da5cf1
SHA512 3c073e2d0cf7c8fe246fef0963d416e3bf351ebae8c7492b3681b3769c7b9eb70fdd85fb5303caef40ce9d97ee5e8ad82bf52d01299033f989a1aa7cdf3f85b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a90cbea7848dccb6de0508b5c71ec09
SHA1 86c9d961029d03fd475f050cad3611c8e0528ad3
SHA256 15a26d87f149f122c443728b5ce391a2f8bac33e0c90a79c35b0085cf5bb6627
SHA512 ab815a71ffce5c921a80615384ebd5c25e693a64a0d55185aa60fe09ec73f0a524cae694f9f6ab11c85f2e0931c4853a48564f0e69af20bb14fa9ae969072a51

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TNPG4FQ8\favicon[1].ico

MD5 036aedaccad59201cef45614dae4c901
SHA1 44c80edf16020c31a29efe346cb5ff2dea20df3b
SHA256 00d386f73149b711191f9efea873474a90266bff140870098e82c98d9cd4714c
SHA512 c799788b6098ab5fcddf45569147c1a9c65ab9afaea8a009c71d81ccdcb15e4deee7731ec4a1deb17db235a2860b9d40d4c328a1de22d1d7a492dfe092b0bb67

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9yhbznx\imagestore.dat

MD5 f6ccb0fb25b7ad0a8dbf6a7586d7c405
SHA1 12f88f1c7351e2433e9bd0352f568b3f3e4a54b7
SHA256 a3b8db41c19e15fde2a2d992fc0f0c6c35925d5424818fbdd00d7750f282debc
SHA512 aa111d6fa4611357c5db18a87d4fbdb58fcfa6b54d525c5781f1eb1e168eae1957fd901555706619e2381669f7f8a4d59d03b7c43e8b2af12e78f1c4344f69b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 136966382e35cdf146a3faef5b1be3d0
SHA1 cb568702be708dd24f487411fbfbfc120d282ef1
SHA256 3552cb0f674e975955a1700e35fe1d3da9d8dddac3e616788f9d1b4cff087259
SHA512 f96d4280dc39ebf7d2cfe6bae7deeb63f5bc6095fabbdd53e71c67743f85db3bcd1b610ddb5b91feafeda8fc04edf231b30fc42051c4e53d2f343b4be42992c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 424a9aff37cf25d4d5f6b873fe45bdfd
SHA1 00069d98b5fbe5cc631f52fd66f5690635e4e5b4
SHA256 757a479d081e5510bc6d17a546940486f2b5149618bf11c3f9f0929e7293bc89
SHA512 bde97b1169aad7546cc3b638c30f825833cbd8632abcd879ba92cc09ddaa951bd7272864a11f292439871a7aed6fe2c5b291f78302cb5f47de03cd3f5046de27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4489ce5dcfa67b1ec573a7a8cda16e8
SHA1 39562739919f308066ca9a78bf3d0f4e2d72cbae
SHA256 47c09430d9ae9c84e78c1afbc4b93362e65790f3d15bf61dd8898df00f6a6416
SHA512 a90795dc391783dbe0249be713356a37233eb510a8d9d64f9045d513df783bb2a0b93ea38c16449e2709a21c989502df4e165e85a8f5194ee214eba7abe02864

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b84e482c78da1a9464d24fbfedc4d395
SHA1 83b3d751598ef39c5b3053caa6327ec0e94f8824
SHA256 505c3afbcc2a4f5d974eabb5a5f3e0049460659ebfe951b3dabc88b129975497
SHA512 893b85fdc6ee8805e594120692124ca067133248c6f3cae4c7c3a95b06f6486daf52b3cb1d6c5502d975cad32a4388ba8bddd4f8f888aacef53d148a85a56545

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d0e8ef8681779eda930273f2f00a991
SHA1 b2552aa29a0a5a8dff47619832ddbd14c8915eab
SHA256 ab061e78226d638bd5f1e1a66a0ae3232ab6b62b29e910eea7e73229d74f2025
SHA512 aef62e5c989be82563fc4998545fed0b9b9a0a31fb7000a5a7801d034167465a788b60f6f208fc50b0edde5019f6a1b9b3a84abbacf8f3b88b5b34534f3400b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bab5c1a5c6dd74e235b501023f538ab
SHA1 c618c0c8bbf9daef613f4afd1c7f9d0c846c943f
SHA256 455f96b45ad5d36a1c757508ec8b63215e2194485ddf4db364faea5b1c727adc
SHA512 065ac97eb801f930d236d8d34d6570c38f27d6e061762b3b5492f515a438699d83da1f7633652f96b5d7ed09a0e6c2349ddb630beba6c19e097c529e2b004326

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17ad1de65fcd909025dd420eed4fbae9
SHA1 728bb37f63f4e5655c90d2b23d2ccea5ccc8cd84
SHA256 be44710afad52bd6788fdb8a9ebbf1a0f8f2bd5d6c31addef2770503542d845f
SHA512 6f3650c7204f8574bc077006b2d2bd72d858cea0754d82920bb511568ff506e05a047956a3e6e957f9f2df676b5c2bce60af6a4b9d09c2dff25a7cead4f0ea29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d83a56a038f561ef88eff41eb5cc715
SHA1 427c73cfbe0833111e94da457b412c5b2260af1c
SHA256 41f87872d5ee196373bbdfe6ed27f82aa8d07002511d3f52ed23bf71fe7182c1
SHA512 ec8ed1968a72a0adf54734c54614ed5bd10b98dfc3da058356ce19ab2723ed4787612a1325a02947b37f9a0dc052ccb134e921344af5d14fab191bc9ed031d98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79c879d42c8689407ea535896481234d
SHA1 4132916dd1baa8f13952498b1f5be19c5ee821b5
SHA256 65861874033971deb42d07110cb93f22fdfe014ceed17f428bee84f205db91e5
SHA512 80cacb9c9acfeb44c21fff9d9a9bdd176882ab8c0823864f15aeb7e3ddab59d851ab23082b20bb7f302b353d4c780d7f1dfdc7dfa1d71455f9ebd0ee841bb860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b62f5aa990bf51de9c9ed1ba771a244
SHA1 251277e6547b0e6b7285ac4695b96a9b99d95a6a
SHA256 d113a94bafe83f753154fd7f078cbc6427a0faa937d0e046fa2734df939059da
SHA512 87a0db80046433e12994a8b21d7af26da06e361dc29715c023feecde396edd9432751171fda81ff805d8a60a79dd526202fd59e0c3f3fdbc4e4c61cc415fbaa1