Malware Analysis Report

2024-09-23 12:39

Sample ID 240612-tlcpbs1crg
Target c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
SHA256 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef
Tags
upx bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef

Threat Level: Likely malicious

The file c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe was found to be: Likely malicious.

Malicious Activity Summary

upx bootkit persistence

Sets DLL path for service in the registry

Sets service image path in registry

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:08

Reported

2024-06-12 16:09

Platform

win7-20240611-en

Max time kernel

50s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k Wcsrss" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A dropbox.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File opened for modification \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File created \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D577311-28D6-11EF-B477-E6415F422194} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gusanito.com udp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 8.8.8.8:53 update.microsoft.com udp
US 20.109.209.108:80 update.microsoft.com tcp
US 8.8.8.8:53 dropbox.com udp
US 162.125.248.18:80 dropbox.com tcp
US 74.86.70.102:443 tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 74.86.70.102:443 tcp
US 74.86.70.102:443 tcp

Files

memory/2632-0-0x0000000000B50000-0x0000000000C34000-memory.dmp

memory/2632-2-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-5-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-7-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-6-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-8-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-11-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2632-10-0x0000000000B50000-0x0000000000C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCD4E.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4675c567f113fc07a397bf8d83fd3db
SHA1 6b9841da4d0fae13d3613e2c58c188a972c40d22
SHA256 c74c8a4740b67bf17477031391b8bb869c4227e9366e93f05bc2c9cf52025b56
SHA512 1980aaef189e2e4160db79c81d2b4f6316e9639f53d40d83de89a0638a9f519ba0df8ea75907c6ba355039bd01867bd0f1210944d470291e2955464191c787e3

C:\Users\Admin\AppData\Local\Temp\TarCE32.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5f69c6cf7c8706f734db2121ab76e01
SHA1 dc06c6bf19641bf53fe38358989ee40f021e02fe
SHA256 4bba08c0cabdc6bcee6b816698b9eea5fcfc7ad68f05a0d0d04f3b5a91e9134f
SHA512 b4b2c7dcfb5f420723e8aab49a7afb7e0e2c008a9b05a59a123a31882a8d3ccbaa022fd379f2b2f4bb06516fc4e0f5282957235d51c1a86978b60836cb92ed44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f87f06d8ccdf474d7b21b6a1b27b9f9
SHA1 d3bc66780a7406c5c688b659c77e07040d6a0b3f
SHA256 506f74463fa3f9f849ef009f09095484cbe8829a147ec95bbe55c7ef2d3a97e6
SHA512 31625b3f25f274542d583bfafe42235b7eb1ba9b56e7b5bd408737e0adee63f460817889565bdc4b5e8535c15a34516f73f90b670a3da3e00333c5bef42c40e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9940b9766601a327da7653514e4b9991
SHA1 6a58f7bf3fe5f4eafb74305c3afd9141b7ae6f42
SHA256 f7324a161a1e445cbfef890bf645d78ec73d8b31e9d2eacb7c51868dbef1abcf
SHA512 b5a9a563346c0d8eb35424db8d28cbda1a616d3104412c78a660c60dc083d97d8437b9ff7fb3d371abc7e51758c1039d95d200f943be0d8a849f8f6917c0a325

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 186e31bac623c2e4be55c223639ec19f
SHA1 231391bc2ef1a579f8c31844b303cc51a3747178
SHA256 ff7966e16f38e0f67a46462f76f8154b5c5f4549e1003b0af2d91e87a502fae5
SHA512 404acceb2b7242ba8e2c3d51f8af05bb7ec926d13e94d397bc45cfcfea223b35cb188857f9045bb4cc125f9fd12793b886db727dcece0197910ae720362b5077

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0d6969488f4e2a0ed866e3915dbff00
SHA1 ac6d92bca4b62a797b25a2a769040057f5122d06
SHA256 0d356e4f81ba22d80d712a83fcf878eac431bcc48bfa62d3ff9c459ff2e22218
SHA512 1ef3a04bd7646fdd62c3c088e895801c60e309dbfd688f1d8bfd0fa60606eb711a403cc83f05307f8b6b1f48f5d92fc9e3a5ee1a1b3303e1917c9ec3f80ffdc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cef4f7df63ffb0f408edd55eacf2604
SHA1 ef3038913e9632e37f7a45dc6acb45e0766061c9
SHA256 3152d43b55fe91a673efa30da360632574fcf3bf199bcf1b689c9df3f29880f8
SHA512 bc68111bb12f1e52b53803e5aa2e11cd6897e7a15a7c247dccfc351a0eeb2662f6fc5875da750f190ab0028c86b95287d227f73745d4e6e85872e9454244ac5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ec1b42f28c12c066dc25d8a72195d50
SHA1 6282e343648a77042a240ff9a6c739dc11f0515b
SHA256 428855ab538df23abee7937025c52c1089805be0bcf18ec71849bdeb576a7ae0
SHA512 257d197ef832db1c96d4e65bd764393ab788b41682a2fa847b1fa03dcbc93f0845f39aa107e65d2aee0483afb01dfd84c3964a4953e6f99daac6ba3750eba0de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b492c2c19885650c8b78c0270250cabc
SHA1 90c700a49da346ca9a81850b2fca7820cfd68fff
SHA256 88f49922fec93cb84e42184916d7a60e20c1983707d1dc2d552da1c1c57afaa6
SHA512 085bea7fc10dc0e0eef8999519ca1e303924782f47c3572b257da4a7e7857d63701edd708203a01f5ac3e40b3a47b7922de972331e0add91247e4a7d6117d0a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:08

Reported

2024-06-12 16:09

Platform

win10-20240404-en

Max time kernel

21s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3d0

Network

N/A

Files

memory/2796-0-0x00000000000F0000-0x00000000001D4000-memory.dmp

memory/2796-58-0x00000000000F0000-0x00000000001D4000-memory.dmp

memory/2796-60-0x00000000000F0000-0x00000000001D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 16:08

Reported

2024-06-12 16:09

Platform

win10v2004-20240508-en

Max time kernel

46s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File opened for modification \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File created \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3948,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3516,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5144,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5432,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5472,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=3776,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6348,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6512,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 update.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 update.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp

Files

memory/2312-0-0x0000000000BB0000-0x0000000000C94000-memory.dmp

memory/2312-2-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2312-5-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2312-7-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2312-6-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2312-9-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/2312-10-0x0000000000BB0000-0x0000000000C94000-memory.dmp

C:\Windows\csrss.dll

MD5 7dd38f8951c2fa66a1291c7d297e1947
SHA1 a3feb1be32160c5196bba30830c1543958ac0045
SHA256 c6e185606e9ed62db354b8b8a298f470c01dcce8c5a4f409bfc5b918b5fd1c09
SHA512 cf6575bbcf7c8442e98d3e05519c79eb58a1e268acd1b66ce1fd8e9e8192a3791ce02474e5a41c4848644806dbeccb40dba93e6ad57bb37a5fa78528df0536f6

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 16:08

Reported

2024-06-12 16:09

Platform

win11-20240611-en

Max time kernel

58s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File created \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File opened for modification \??\c:\windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1836 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 4700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2680 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ab4e3cb8,0x7ff8ab4e3cc8,0x7ff8ab4e3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,2778242197533742920,1956034287137226668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gusanito.com udp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 20.72.235.82:80 update.microsoft.com tcp
GB 163.70.151.35:80 facebook.com tcp
US 13.107.42.14:80 linkedin.com tcp
US 75.126.60.251:443 tcp
N/A 224.0.0.251:5353 udp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.126.60.251:443 tcp
US 75.126.60.251:443 tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp

Files

memory/1836-0-0x0000000000840000-0x0000000000924000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 46bfadfc09e91238fe82de0fe30d91d2
SHA1 5da9d92d08803a52c63c1b96c6027e603e5fc3ef
SHA256 99733b0f1fec41252c1cf23c4a77b60aa371815f1c4c6fca5b0f81e81edf0f1d
SHA512 594994c4261e410c895b7f9b83562cd35eff449acb8fe1c124939a9e6c6fb8153516aff2445719fb73e8ba9df98c425ab30f247aa30571fc4d9cf2979f7582ae

\??\pipe\LOCAL\crashpad_2680_QJMLJAYPREIPQNHY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6c9e5afa53a396c5663f22632a417d09
SHA1 d0ab4eae378aafc7dfbf87e22a3113a642f0633a
SHA256 50ded1ff4676a285d97aca12244287f807e5c9dc5d258a63fb22a248557fb9b1
SHA512 543d694c98ef09020792e911313b31da77233a39d7de4d7ebe320bbd82b6c830f86983bbd5642b6c546b50de90e1644b80e2fb8400dd95800ec7c44bc17947e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6a239d57bf5ef40309de5acb4256e0a9
SHA1 e3a9165833b312457717976104aec999bc56e4e8
SHA256 ed5358ba3a142f4a71b1df8f65f5c140cec7aeba7bdcad7c131435e028a31055
SHA512 5225dddead122e139ec52a2b4317e8aa94a1354987cc125dcaecee34faaace44cb4f68baedb0960370a85dbc560f4105e1c47f21a5738c1391613d9f79c4e15f

memory/1836-24-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1836-27-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1836-29-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1836-28-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1836-31-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1836-34-0x0000000000840000-0x0000000000924000-memory.dmp

C:\Windows\csrss.dll

MD5 7dd38f8951c2fa66a1291c7d297e1947
SHA1 a3feb1be32160c5196bba30830c1543958ac0045
SHA256 c6e185606e9ed62db354b8b8a298f470c01dcce8c5a4f409bfc5b918b5fd1c09
SHA512 cf6575bbcf7c8442e98d3e05519c79eb58a1e268acd1b66ce1fd8e9e8192a3791ce02474e5a41c4848644806dbeccb40dba93e6ad57bb37a5fa78528df0536f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c69d1478ec465867de8787ddf595bc9d
SHA1 3fe9d4c5041b330915d50827f318e31a9432c15a
SHA256 4ebfdc8668da633b6c89bd1d32ed1678104896969a390351e17715db58e09104
SHA512 13e91632b51b0120b429a2a137a7a4ff462229eb81763c73eb75f9de1d7e607f491e7238abe9f2fee88d479babeeece663638acb2658224e9184b28b08b98fb3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7814e70bccdb5300181bb264b70ec358
SHA1 c6b7f0acbafb6fad16ca9336961c7f993422ec77
SHA256 fffb51a1289bb9899bac29ff8f688e7b4496e5116a7bca3e3d36931468904cf8
SHA512 b25de6bfe0d6f8c5ad0957e9dbf70e963a30229d9e1059c4d9fb4d9729bb4ca6bc2debdb9b9ea872c21ddfe6a860040558466da823af31618c877b335f732044

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 cd6050d3a6e28fcc0a9df3e9f978f892
SHA1 7895b95d23de6bd2576f4a429ab578ce73f5cf6d
SHA256 89c9102fa54294c738a0a4ea65cb93f59033074669fcda7e59d09cdb552f9b0c
SHA512 02f866882c952386719a340be79817e79d22e1c040d8b7e13d52e511b4c1ac721731e0e039623027c0938d28dad36ecf6d6a7f969667bfd29884d24204a014cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2b2eedd1d0c1efdc8ab8fe24cabfec35
SHA1 1c43bf6aa250162ca79f15006e255fe6acd8bfdd
SHA256 ccb7aaa89a970e7961bbcd774e6b2e3d2b733e798948dc6887ddbc6d48960f47
SHA512 ee4f8673c70e8735d2764b5f109ea4b704c7e4d4d4d88c8677d2e9bca67efd3dd4f77d7afbb774b1e7b13af8d20894e6124d4a7f1eb4e9101933f58500fc9a9b