Malware Analysis Report

2024-10-19 11:30

Sample ID 240527-bpjypsbb41
Target 9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2
SHA256 9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2
Tags
microsoft phishing agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2

Threat Level: Known bad

The file 9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2 was found to be: Known bad.

Malicious Activity Summary

microsoft phishing agenttesla

Agenttesla family

Detected potential entity reuse from brand microsoft.

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 01:19

Signatures

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 01:19

Reported

2024-05-27 01:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000147cc7f46ec951e5773cc484d8e27a4fbfd9a8d6c28831a8632fc10d47295b6d000000000e800000000200002000000046c824311613332d7a7e14efb32a27ef755f31e3525f90697a8d5a315f93ae8320000000b69d517674e49c09d62752214e2ed6393955c3a016065d6874c57ca3dfeba50a40000000fd70cded87bdb251d6695954662a7ed11b0051f618ec6e5290dc3081c06acbdc77c561a95440514d8c5c769edbf1f0d79a35d104278d03bdaf1c9995e5c358b8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422934624" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a816fad3afda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{229E4BC1-1BC7-11EF-BAE0-E64BF8A7A69F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000cd9cd6da2ea2a80f876bc4cc16bafc8f38511de2749e495df93b465bdb350738000000000e80000000020000200000007bc6f985b2b56d2e543937c98929b47540be0b5496b794317af23584e084722a900000003b6327a905e878d225061b89177921cdcc88c920a225ac2870a753dcea737ad57d17260e91d1d97e5abc1b480a5ef391d3649f819a782f2b67c2d7024d5f2f108e498b78da3b156f38ec4d4ca60056287e1cc96d0da03a35a953ecdefcffc31396ead5645da7454e2e6852b9b8cda5dbc28a32e2187822c07c7dc91cae5c6669c9934472786ce0fbe04f06daa79cce4940000000521df393bb5b649839d13736c9f6bc2ec781cd0bc4e41ea13879c8ca50eb85a9b342c88de6a416e060224abb2090cffea9fdb1513c9ae1698b1b468cc1569c96 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe

"C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
BE 23.55.98.77:443 learn.microsoft.com tcp
BE 23.55.98.77:443 learn.microsoft.com tcp
BE 23.55.98.77:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2924.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2987.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa33a1f458950df5803de934cc5b7270
SHA1 5f9e9969175e01c3d976813aa80d975a63f7a192
SHA256 37769c7fe060f088c9e9f4efdbf5b0d1cd39399e3b4343be1dbf4969b259b2e5
SHA512 7fbe7740b8eddb3ab47ef4a3e41a2480cd982f62c3c74a612f423ab3fdffa79e2b3b15e96093b3e8897efdaedd7e503c13137654b4307ab3ad31fa4000c7062a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 750741682cb4c1adc1b0c05fdcb363bb
SHA1 2b1e79b3d5e2ef7e634801bc35cc08c6ea7fe8a3
SHA256 7000a4309f627d041f9f4d756309784dcfd63a11408a544ccff2ecb6bb76887c
SHA512 b6d633a40b8a5a3673a0f66f7dacfca8847cd9c1173644f64037de2ec67265410918f4ec9c08904db7541705d130dcbff2b3a06354952b3ccaf7f4e8e97e5fd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4c4d2b1a260061b46bd0bfcfcde0522
SHA1 0ab325f8b860592928350cca1f3d7419fa3dc2eb
SHA256 f40522026e8914a1c75c120238bf30e3ec1f7f2a0d060e0cb290c9138828634a
SHA512 6c9a2093f5dcbfbaa1aa8ab9b06bf33c0a3331949b2e22a587b93976c7c4cb11ed90a03a77c48c929260a8054565c4275a2b0aca15c0e1f5205813c2320be005

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a1834fd2f8ac307e72c48c9431c564f
SHA1 b87be49b958737a9705967448fdc3c474170b750
SHA256 b50c282a1be6dfa76c58e91108cc5cee1f0593287169e05d19b9156a7ccd0fb3
SHA512 ca95c5afa80a64ba1682e213ba556dcf4a65f79cd70761a443fbc76a43aa18b524fafd23b7fe0e52cfb0beb39c1a2277bec1cb4ee8c8922453728316cba2bb8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c94c8f38db9b42e4448fe3031ae1202
SHA1 7da4da5f5a23fdcf18cc583056cec2cabec0fa9f
SHA256 28e326e24d5131246f0fd3df441edbb8d4a0363a162f43a4925bb2f1db5967b6
SHA512 2ef94894db9d133c7604d70c5ad59da23ecf6cc9328827d7668eb773c88efa80551e25bb7ab71f297790596ac03b7ed52bb918c14bb62c6dee0eb389ac5009b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 b4a019370647314eaf31848d4fe3e1a7
SHA1 7c95bfcb9278c701a94e42f10d30688541f9a791
SHA256 c00a61b489dbc34aeeaadbad2dd64f98171d1db85998ce94a86becccdf90467a
SHA512 edc872135fb48ee72b8cff321272ec25f00017ae74d998dcc9c9a9dc88ce5e5538fbe9ebf62688c014fca433c8364807595459653a196f065abcc11935d1a05a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0336a85f65f971f2275e9c2fdfe0cdf
SHA1 d2ea64819d702f2c83c9a39305cacb98f4d5764d
SHA256 2fc422c5e19140a80f1d360c6e929df078847225d574aaecdd8efb413a629ab7
SHA512 3404edb54aa97edc16ab172109c41fa2285b2822722d450d4acf46773787c9a843314b99101f733d8a11999b1029fb17cef9ba9c28e3566c552d6f1feb5a4be8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47b3c95d28771e2865bb3fcadcaf6ceb
SHA1 1999f7a3fdff0c28d12019a5fb0a7c1825fcaa21
SHA256 eca8f0acbb4919e950bae92b193a8e711c1cef3ebfa9abf254f8c40ca5b11038
SHA512 ed95f7f94222c2c4a758ebe4c9c124f0431ea9b7052919a8755ab19767f60a02d2d6bb3c7c0392765e905956a1ab03961ecf6b701c0270d6c8f3240102e843e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3464611a09216a191553b0107a9a3a89
SHA1 79e531365dccdf481bce5392d5dce12c7679d308
SHA256 1af5403dff64f85d07d0a9192d858898ef63387e2df3868c68f8b56df8956afe
SHA512 c13039dd3cce320965c1f1aae557f0e685d21dcdb7ab2a8009298479cae5fca172003ecfa5209e0c57a82fc6f6b731561af59e82b76b47ff4cffdd437fb899f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2675e00fe0a824ed35520f4368155cc1
SHA1 d97ff8c4106184e26beeb0b7ca818dde30fd6387
SHA256 a29a3dbd148904b4f505910acbcafec7374936882d13b7988695bb0a881ce9a1
SHA512 bd307f556183eb1980e627042384686bd09b243a21900c903c020c8b3f50e8621a0fd99a4c68b6560ff09dce7d20a6755d7bf32041ef59f6256718d3c3e9fe2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f18cb3a2fc59e2d24eddbbae07a65535
SHA1 50a6f1bc5bb8ea95b34e48459822992cb489b87a
SHA256 8cb008ec39dbc70685dd986de16032cd5566ac8aba8d70890d20a9c595726b0f
SHA512 1d08341ba685396a1130369d4ec1921a79c441f7b7239bf55c96b7da4e8ae1bf943468437d780499a092fc0ac5386808ee81e9cfe33ef48a82dfd0be93d30252

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62f23dd6f4e82f20b4b18eca7de4ba93
SHA1 9d9e753378d6a2b036e82d21a6f1089b3765c4be
SHA256 672408f1653b70aef165d3e427a28e8a5a92427e7542f8e12f414d402dc224a8
SHA512 1e5d9f56c7ce75bd3eb067a39cd7c016b9181e0a82b29fd84658d038691ee1ec6ef30f1e7a0c2431dbf3fce8342e98fc6e81cec41aa7602de3d1f183120bc84d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57eb10a27713d23147470bc2039e39a0
SHA1 a0e1e5402a681be49683d920a9a505882e0cae80
SHA256 eb5153a14ae1c330fd9586efb278348730d84399bc2278095490cc6484723950
SHA512 b284e031b4639bc98c5ff3f68405be575f49f9d04a9790d5da012323bfd8cc25fac7dfbca1f5db3ff0ce51bb02948f8eb4df30e8f31797eef5ae1d73b41b8c84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3484378e89926ebed4813002adc153dc
SHA1 d62c0e53ecdf468afc72baaebf92646dbfc3055c
SHA256 cdc4b5906ece743d9dfa9605b6f731e6155f1553ad44242a8ceae6b3a059df56
SHA512 375ec5c202075948d74645989aede88d546e30679eb7a8e643895771faceb8354eded86394020bd5dd110c909c3ef5ba78d02149aea5eca869f2951b2b3f8a28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 052057d70e4596caad9e4df6ed78ba87
SHA1 efd611b2238a70cf18a42dbe9dcb93c8a8d758b5
SHA256 615bdf33b4eba8d40d1403dc02545f3d6374cf7becc6b30cb5d9676f7bbdd688
SHA512 3d259f760aba22599fbd23f29bfafcd926cb2d513f20f846f14650b76f885aa2a5325a1fb98ed116166d476d2fdd191d13f2b13541711e88b2940e74f6a6393b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5e4b1cf41e886a61d39a84c22041152
SHA1 96db3c57aa2c7c78dac1e8b5b1f68f6582219a83
SHA256 72279eda2fefdea085e10de553aa602a75f422dc2e1a3dabc50b0698303dce8a
SHA512 0992cb04c3f93b83252b21d96afade1f117e4ced3afc63a838f7a16e4f7775ecbff1fe3aa96e5e02b3fc62eee66073145afca4df0b164d2efbd2aafc6432b4b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa267fbf1bf1aaeb6fd51d1f006f5b35
SHA1 6baeda6a6e28a114a3a230d11220d7fe645a4a22
SHA256 7229c9b8d619b9df7541e1bcee392e72442ccb0b0c825094d24a5522e15c4f5a
SHA512 a3d7f6e75399666ccab263bfae1aa696b81a4d447cacd06afa11a0111c2462bef832d96c4562c9a23331eaf23a1a014d4669abbc4076dc6746fe13876b9d100e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b05e046614d9db99b58fdee0f00c8ba8
SHA1 ef8ae725a62444677ec3478fb91e76ddf971771a
SHA256 44600deb0384d36aa27e893892016c54ef6aebcf2f133eeb5808d6fda581dc45
SHA512 b13071e0f45f9739b6a97ae6e0206ea8bd2285e7fa2a6c0bfdd457bf1a082b1a9cdf118e28f294f7548d1797faacc2214dce0f0dd5921268ef8bcdce41030d1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff900b13a1ce0eabff404ae8428511a2
SHA1 26253c18be038a1bac58c495dbbeff990c88d17c
SHA256 06a370f4661453da0d3c63f77848c444b4578399dcace3db17c22317cb084974
SHA512 974e9aadabeba0f27c391d2a42c61a3d8ad9bd1efe27c3346338f61d14a41835655e90c2c8da8ca9b992a74d2f4539b957f724722d3f9a9391135dda8e7adfb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7805bbf9302ec8a52e35f1c528bbd31e
SHA1 44646971374cee2ebb8a51ba441895cdc49db3ed
SHA256 7b12eec6148240503ede95279b7bd85b45ef1fc7c993533f12a0c2189d542eeb
SHA512 1d2f5177c9640a53fd6274b6b4ae4db9d1427ecb70cf4b2fde1d5d0401f7e106b6d62f7ae1bbb92527e88fb9d63065e2e25edf12f21cfa444e67fce0de5c6ed6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d32e0122276068ea7044a5dabb585b3
SHA1 e4bbf2f5aa47dda20f4f89593a22ca5a1233bd59
SHA256 b604ef964a45491391caff68f907067b094d7270150987f723c248a31751b805
SHA512 e5f48106d14f3f34d7c8bbaaa3072505b919e6cbfd55c64a00cbea39f8f65549175de2d556ad76311490cf9c294a00df8195caa5b23b3e0db75f4cac05904bc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db296c64d39f4a438dc0781230d41b79
SHA1 d09e3adaee87377cbf2b25073b9b38d3b4ae6ee0
SHA256 896fdc4b9f56bb51478f2939efe40f9090afae0c94f8b45775a7b185f9c6fa0e
SHA512 cd8da83497f4b5a283e0b3c0c7951231a8b1e44594f83e99ba8de0aff76d74825408a29adf8660e146025e868aec8acb316c8828996dfcef3fbf90d3917fd460

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9975bc17a4814dddcd0f6cb92d0d2f7b
SHA1 d58f4b31151b29dcb67a72cdfdeb0fe605a9df94
SHA256 66a6b0d1b603d8442e418224374205ad59fbd4ee10fc6fa3a7b9786033497095
SHA512 aa9e6dfecb588bac7ea300ea5553081735e46f3f87badd3c425330bc996713145833a2227162c06ee18d1290c45b02e28e0338a9e16322f762f5e8e72230fd71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c38068b565d973faa0f2591ddc231419
SHA1 1cbc03c96bcdbba6b82e6bb9e55f7c0cb92a2ba4
SHA256 8769b796770585feb1acdbc5f32c0780270dc208c355e675ba4bd599ea2c4375
SHA512 0e7205fbd5deb1178d81ebcad13c29ffd1c7307a97b8c437774c45f3bffebd6a7a0eb498541fc26a968346be58b4f16a2bcf4ccbe1bc40880da30845a92284af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ee74eba119517f7c284d7ef2f6e6502
SHA1 7d37794c4126fbf28a0a7b946a1b8179893209c5
SHA256 fea52561425f399bbbf909ded13fa8383796d1bb3cc88bcf2af755cb3a13185e
SHA512 bf1a551aef3fccf642ded0e22f1a35e243fc20902b05beb77fd91b6e9931357065fb947bcbc69dc11c5f1b7be753f666043b34a6a605b52d492c96978801dcf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1db4e4cba375c67a424f8e8bcc6b82
SHA1 9ab27a37c67c90079e1a822831deaaf0b0ff2284
SHA256 f725ba0f1003cec2c51b1f11f7ea6e87594dd7b59b9d7ec17c3a094227e71a9d
SHA512 4e88051e615ff40e076db5ac8bdf043dbbf335436b1b5116b8116e3ad50263e6ca5daecbdb1a12f20ee8ae0aff39f535d4b56d28a80458100b34017cfb44c495

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 01:19

Reported

2024-05-27 01:21

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe"

Signatures

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 344 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 344 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 3424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 636 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe

"C:\Users\Admin\AppData\Local\Temp\9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9d2046f8,0x7ffb9d204708,0x7ffb9d204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9bf43f6f8105958350ebe5c6a8d2a13999303b189dfd2aa2c9f2ae4883f158d2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9d2046f8,0x7ffb9d204708,0x7ffb9d204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2364,16429571984932497083,1717671603127171128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
BE 23.55.98.77:443 learn.microsoft.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 77.98.55.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mdec.nelreports.net udp
US 2.17.251.15:443 mdec.nelreports.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 15.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 52.182.143.211:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.182.143.211:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f53207a5ca2ef5c7e976cbb3cb26d870
SHA1 49a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA256 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512 be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

\??\pipe\LOCAL\crashpad_636_YCMNHWHFDASGMJYI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1 a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA256 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512 e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1a2121951a7169e150e097b98ac11155
SHA1 17466372b9439a3ddba152b0f7b5b3b6512ebe59
SHA256 c16ea550584cb04e07e9dd5535d2b7737a50a54a4d1df9c2e06e745d78e8a7bf
SHA512 a30c9b87031eb585bebc528c3158d6c195601352c1b9c4f14d2279abe08d12cff6a420c8db7199abb73fcb33a07bc124093e3521071de57c784ace6a88e4bae4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9cdc7452cd4e37f73e70cdfe2b4a0b1f
SHA1 dbad659f80f879ba142f53c18a1dd20ece0fe709
SHA256 192161b2779bb776a03a524f8d4edd972a83f0431c20d411c8953acda9c93007
SHA512 7d708cac50cf7578836039bee63aa66169f6d1bf6b4f87318d0d4fe03891641d3137562df2450cbccb959292206e7417827d0a607d6fd8c6ef66c50dca126aca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 85dee8cb1e0d5324ff5a66717a7ebdfb
SHA1 2bd931c669e0ed7826d875e190977fbec2a4f38a
SHA256 aec81de42b56074fff98a411604ed57abbcb806d3db00169afd8a8fb167890bb
SHA512 f00f386b30d98b6f6b80dcbc1d72bc26cfd247db129409e454b978237da57816fde9b658dddc8d5d91b13df45c103b2e70703f666a9ab6a52dc61c47739bde00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c11a368c717caf5e70e6447e3a71f2d7
SHA1 7c0d92757a4f9b105a1a0bcb96f297f93a46a9a7
SHA256 2121cf7c33a0ed977e9e9733c3ddfc05932e44ac3e3ceb5f7e841bb0d373062e
SHA512 3908e82c2dd713627481de1c2c894f63d8093ea561f9671b080170d56e6da30c083f6654e4ea781f9b54d50ad7b50a1ed8b85167431baf64e175574bfc05d3ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bbaf.TMP

MD5 ec6f18e65a09864d76d4568c2c5ec014
SHA1 88da9e8fb73cb00747629e9acc87ed9a797f354f
SHA256 5663af7de4ee31c14c6c0de81c23599a83f234f411777d7bd9fb5d1a07aec12f
SHA512 7101290dab8b4f2654730c104acc8be6ace70a8e779ab666c5eea49c39d9c474d38c6ff3e3f2ac7725e1f8a42ff74a90f29d730097b1e9da6b4f6a7ac049196b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 130a8ba16d7e3421aa1805d287deb780
SHA1 cdd315236819bf830c4ab7f79c3b183540c482e7
SHA256 7d069cffdee1eaa06ffe631b844dd6fe31e8b35e1f117e12b8905f7c965ea222
SHA512 002998a07d3f67469e22547383cdbfbacb8a92fcd61d46f5f21313736a7f9d07c79cdd56217c06279566fe4cf323db50d749eef07004d5f35d2da960941613a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9463df046385812664b6ef5f7a05c09d
SHA1 3658ef0782544e976adb6861ea3a7d7f6b67353e
SHA256 dba91a56d5fdba5bacacf8301e6dac48d4dd283ba6639782379c03f864fdd259
SHA512 dd9800f25e92c87c7f184c04294c60b20ba4fb72c91fe801819913f3187ed25bf31b1b9237bb97ebed7d617d0ba4aecc424e67ee0faf0f420754c7d8cacceb96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa