Analysis Overview
SHA256
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def
Threat Level: Known bad
The file c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
WarzoneRat, AveMaria
Warzonerat family
Netwire family
Warzone RAT payload
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-16 09:48
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-16 09:48
Reported
2025-02-16 09:51
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
WarzoneRat, AveMaria
Warzonerat family
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Loads dropped DLL
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe |
| PID 2768 set thread context of 2496 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 2372 set thread context of 1132 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 2848 set thread context of 308 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {0F06C430-BF93-4874-A13F-861EFD47F696} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
Files
memory/1640-0-0x0000000001050000-0x00000000011BB000-memory.dmp
\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/2120-24-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1212-39-0x0000000000080000-0x000000000009D000-memory.dmp
memory/1212-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1212-29-0x0000000000080000-0x000000000009D000-memory.dmp
memory/1212-27-0x0000000000080000-0x000000000009D000-memory.dmp
memory/1640-26-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/1640-41-0x0000000001050000-0x00000000011BB000-memory.dmp
memory/2248-42-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2248-44-0x0000000000120000-0x0000000000121000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | 3c54630b57e4500803c9f48eb37ce746 |
| SHA1 | bca51b12cdc65f2e7c1cbfe2fa3b9e9a1db1a684 |
| SHA256 | 47a5369713e1e284b16d1acfb0ab9d3614e9631f34c8c666a7123d432613d39d |
| SHA512 | 7d8b1172d713ac45211ee813167963d81a6613abe0a980876201c17c5353e6c71ed32adaecd81c8fde3de35526472251a80f09cafaa403cc1aec32df3a139fc0 |
memory/2768-49-0x0000000001130000-0x000000000129B000-memory.dmp
memory/2496-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2496-68-0x00000000000C0000-0x00000000000DD000-memory.dmp
memory/2496-77-0x00000000000C0000-0x00000000000DD000-memory.dmp
memory/2768-78-0x0000000001130000-0x000000000129B000-memory.dmp
memory/2948-81-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2408-84-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2692-86-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1132-108-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2372-112-0x0000000001130000-0x000000000129B000-memory.dmp
memory/1832-117-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2848-154-0x0000000001130000-0x000000000129B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-16 09:48
Reported
2025-02-16 09:51
Platform
win10v2004-20250211-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
WarzoneRat, AveMaria
Warzonerat family
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3716 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe |
| PID 3668 set thread context of 2280 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 4360 set thread context of 4860 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 5060 set thread context of 532 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Modifies registry class
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDM0NTIyREMtODNBNC00MDVELUJGM0UtRUJBRTk2MUM3NjE2fSIgdXNlcmlkPSJ7NEVCQ0EwRkUtODQ0OS00MzQ3LTkwNTItQ0Y5NkFFMEMwODBFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjAwMzlEODktRjIxMC00Mjc3LUJFODMtQ0Y4OUNGNTZERkU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDE5NjEyMjYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff636f16a68,0x7ff636f16a74,0x7ff636f16a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff636f16a68,0x7ff636f16a74,0x7ff636f16a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 96.17.178.199:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
Files
memory/3716-0-0x0000000000FA0000-0x000000000110B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/4360-13-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3716-15-0x00000000016A0000-0x00000000016A1000-memory.dmp
memory/2848-16-0x0000000000340000-0x000000000035D000-memory.dmp
memory/2848-24-0x0000000000340000-0x000000000035D000-memory.dmp
memory/3716-26-0x0000000000FA0000-0x000000000110B000-memory.dmp
memory/3472-27-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | 766f38e12c6d2788f9e2b3a301512d28 |
| SHA1 | e33621cc81d716fa92116c37130a5f81de766294 |
| SHA256 | aaffd10774584278973faf1c8e619c741aaf6653bd46c232aee8eec8ee5d8bce |
| SHA512 | 3d79d6c0b1b3bcdbaed3e4d99185415e2bbdca2351ba11afbf6b7a03d2a6c16801d37ad20380f9477765b75c65fbee22e155f45e080df20313fb4026d3a98336 |
memory/3668-30-0x0000000000ED0000-0x000000000103B000-memory.dmp
memory/2280-39-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2280-47-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3668-48-0x0000000000ED0000-0x000000000103B000-memory.dmp
memory/3016-49-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/1052-51-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1568-53-0x0000000000400000-0x000000000042C000-memory.dmp
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
| MD5 | d2e323631dbb4e63dbcca7d9c1fbed76 |
| SHA1 | 3945d53608db21d4366ab583f7eacc15607785e7 |
| SHA256 | dd0b50ed28fea531fb7fcc8d4d455633b30810aabd2e33b481a388fa3a1436bd |
| SHA512 | a0304e6e49bd9164710803dd56552f0e400682ac4180c3f49c6d06b9ebb48c35171f9eaded2f5467aba3bf1740d6dcbcc1b1b6e22e7d4fce111816d837703b38 |
memory/1052-62-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1568-63-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-67-0x00000000001E0000-0x00000000001FD000-memory.dmp
memory/4860-76-0x00000000001E0000-0x00000000001FD000-memory.dmp
memory/4360-77-0x0000000000ED0000-0x000000000103B000-memory.dmp
memory/5040-78-0x0000000001300000-0x0000000001301000-memory.dmp
memory/1344-82-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
| MD5 | 1b3e9c59f9c7a134ec630ada1eb76a39 |
| SHA1 | a7e831d392e99f3d37847dcc561dd2e017065439 |
| SHA256 | ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae |
| SHA512 | c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e |
C:\Program Files\msedge_installer.log
| MD5 | a0546d81a2aecdb044b5aabd4e028f52 |
| SHA1 | 6bd15ba7de411b3d2a778f8bd12bc648ca12842f |
| SHA256 | 10fabb814e9661cf1a240df63cb42e2591e29cabaac347b4676a253bf588655e |
| SHA512 | 157310168ca03e3bffe8ee14912d666604642c29b68536e85ab31be9b19cce41572a1389b3f172252126495160472978019d1de64874009dc93662798a00d2ab |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | ad5f7dc7ca3e67dce70c0a89c04519e0 |
| SHA1 | a10b03234627ca8f3f8034cd5637cda1b8246d83 |
| SHA256 | 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31 |
| SHA512 | ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51 |
C:\Program Files\msedge_installer.log
| MD5 | 27b53c27979800c7045eca4b709cbde1 |
| SHA1 | e3dba3cb64fdf96119f761b0f6c77409fc42900e |
| SHA256 | e03521423a2dd64be686e5bb2be5ccc93313e99233cd1bdc4a1ad7db4f1836f9 |
| SHA512 | 610ee814993dbe245c9db346613b0320c672aa72236434bd5eba8b9cbc9f4589f664d65ccea3f74a9ff9dc0206f6ffa64955c931ef86c9d3f36ef43bbefcc889 |
C:\Program Files\msedge_installer.log
| MD5 | b2a977d4ddfc2e12ecdce1e481532801 |
| SHA1 | c71c462ec9d8ef346d8cafef41279b7a83d9c444 |
| SHA256 | 02704781ea8669e5f7f36ab32a4297ce274355d731f531d06461435e87dc0217 |
| SHA512 | eddc95598dbf181c85261b398839bcb5e32b38e7acc921dd771b63040a1857a2c61f36f736b322d46afa15920e5edacc1284a0919d22604376e0482b29b85dce |
C:\Program Files\msedge_installer.log
| MD5 | a19a0114610fa9e2df98bd1be4865332 |
| SHA1 | d7d01efdb78a74c37951afd7fd61ee4372a82fba |
| SHA256 | 9ce0640156bee2c3af67c36bc4619f2f82807480ef52bf5b2a9fd02ea750cad8 |
| SHA512 | f54036ddffb70c5a4b39c9e06346ece9683e45b0130a639856340b27e822ef202701624634225fe3c35aad2d0f1d787bf8fff230db2cfb90032cace512768bc5 |
memory/5060-167-0x0000000000ED0000-0x000000000103B000-memory.dmp
memory/5060-179-0x0000000000ED0000-0x000000000103B000-memory.dmp