Malware Analysis Report

2024-09-11 21:52

Sample ID 240614-pgqm6szgph
Target 003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b
SHA256 003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b
Tags
blackmoon banker discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b

Threat Level: Known bad

The file 003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b was found to be: Known bad.

Malicious Activity Summary

blackmoon banker discovery spyware stealer trojan

Blackmoon family

Detect Blackmoon payload

Blackmoon, KrBanker

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:18

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:18

Reported

2024-06-14 12:20

Platform

win7-20240220-en

Max time kernel

136s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000186a714d596404b9ba99f5bf7605f4d00000000020000000000106600000001000020000000bd5fd1e1bdad54667b153c8c31c53c28b1b698d5ba4039b5a08fe3b4323b9b58000000000e80000000020000200000000a3e8cc76d0fad8b9f66ade103b604c8a91383f46d50b32a16e770cfa062e3ac200000002cc143a85266237ffee33a18576b8e24f2687225250feffa418be67defff94554000000074e27b6133d35e119b22f6aea4e719d63d1ff5473748e468dcf9c7611f6173d150af24c853bce91cd99f4cbe3b1896eb84636fd6a6a8f3f96ac1436762d035fd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424529382" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10586c0e55beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38A78FA1-2A48-11EF-9A72-56DE4A60B18F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000186a714d596404b9ba99f5bf7605f4d00000000020000000000106600000001000020000000667f2eb3fb229931f3ddc857193eced69f6718de614ba8bd8e2fc35da039d1f8000000000e80000000020000200000005cd014d090cc5b01ae310c3f6cd51906919c26ca63b364c89c2107526c03adfc90000000dc5869343bf70a5143c8a3cc74cfe1c8e1bdfb3bb427d11e15b0ceda912ab83d286c9876394014c3c91295df41d3cd85e99ec6edb673dca807925acf5050f0ca12883d20d7955b401741eeb8a1297582b7f7b40cab0d5e8b371b2a328be9301de6f7a2c0ba125d70c7afdd8eb05bb2c1e2738ebebc9cff7123023464f93d845eeeb1aba14705fb4b9b5f9f592e840839400000000cd1b1ce9a02d37c06df251c8e8beccb91211bf18cdb4f81b420ad1c0b843120d9ce9594741405bced7b93d744ffc0bcb9d0b542f5988e7834b04517a297d5a9 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 2468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 2468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 2468 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 1996 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1996 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1996 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1996 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2228 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2228 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2228 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2228 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe"

C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe" Master

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.30my.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.30my.com udp
US 104.21.88.20:80 www.30my.com tcp
US 104.21.88.20:80 www.30my.com tcp
US 104.21.88.20:443 www.30my.com tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 104.117.77.187:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 104.90.25.32:80 x2.c.lencr.org tcp
US 104.21.88.20:443 www.30my.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.21.88.20:443 www.30my.com tcp
US 104.21.88.20:443 www.30my.com tcp

Files

memory/2468-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1996-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2468-1-0x0000000000400000-0x0000000000891000-memory.dmp

memory/1996-3-0x0000000000400000-0x0000000000891000-memory.dmp

memory/1996-4-0x0000000000400000-0x0000000000891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4B45.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4C55.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b86b92f5c169b94e73b5e55f935b0ef3
SHA1 76d4864f9064c4575eb0611e17b8fa4d832429ef
SHA256 91b526fc8018173c5319e51bc02a8d15d5b7a6c0bd992d7416b96e14fb934236
SHA512 8b1e2313918a53e70a532a39df57adb705f84ebb32ae34302477577731b4999d99f57189e970d595995073d71d53729ea68f244f9dedc11550df55c4e82cbd38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef5d024bba5dfffc84dd1d64f41bb7b6
SHA1 138ab55b1582cecf4bee4c0507f149e63744651d
SHA256 a33ec576aab98f4d998454c00eb2eda67e90cf9fde31863f136efa22fda522f4
SHA512 b7702a50665a95746b80965ce72f81d59c9b7c8e4130dcd21451783e69e27148e2fbec40b3b7a936014df48f7891457ae60769583ce88b2fe209ebef1441cb10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e68324c5fdaec56f5220795ad7fb4411
SHA1 47d6fc291762cc72cc44c1640ea1e594c76b5e3d
SHA256 e4c12dceb7711d96763f93de423f5e31f1a6d48769d701423654255ad81c3495
SHA512 51074a048b31ad0308b164367307bb3447ea3c2aed0d9f464d23f7b5f77024078db26b0a7c23aa43ae97666846e4c70342ed0c6e9232ff72742467f235367b08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4682fe49ba0835a8a0c312800838f820
SHA1 19debce2840ff5793a31dabff9b4fe1ef88edd35
SHA256 27ba83d4818de79aa6fabb9cf66480fb2eda8521b484cf8f822028e48a9b68fe
SHA512 1c319f4b56090ebb6e2111acde4f9cdf29167dde2899d450530214387fab3d995928d0aeba3c42958b4bf1cb9eb1f331a273bde23f8261e50751e67a2aaa3ff7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64c5a91c0c569ca607471634205049c4
SHA1 1a25cc796bbc9d5348dc10f6fb89b1dec36ebfdb
SHA256 386bf3f63d941fdd1ba07841083aacc1133796ac5279fc80c4ec4cffd67b29c0
SHA512 a552cd7cfa6e56bb64a8adab83f927e66e981d25dd40391877cf09e1613e1046941f0c474453a741c6981a6ec5dcdf0f8aa7de9779bb799fa5982cbd36bba2ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6740f9681d97ac1adf8410ae14383a7e
SHA1 8766378876fbf14c304865bc309518b235c407e5
SHA256 fa93e1afba309010fef261f26700536979715c2dddd86c8816543d3610ba140f
SHA512 5541f1bf00bbe3d9f66ca163a1e49acae63b9c276a9c5d28e304f5fae1bff93d5b1be3f1b6f79efa2e03b82f38d05ca9674db96b83f61068f3c31222ffe2b007

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a7ea52f24ee31053ae4a3cdd973892d
SHA1 07d9e5bfc2b1cb774cfe1dd5054881297641dd0a
SHA256 a1f946b57b88c2f3815f51636593d293f05e425b7ccc03bbc4720c1c23ff5a88
SHA512 e1f866f2b0347509be7763ee0ebdf93ca44755d7091aed01529bb0d5ed4e9b1ebdaaa84fa95d6d319c12525b0fab97d3506263bb13e76afcc2c040e1fa2e4714

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a8b26186d2a711128b1092decba0d19
SHA1 22e6c42d0a11e7813f06c8084b918de9d2cc05f3
SHA256 92544dac6e1a6bb16da8196ca103eb9483c965ff1d77e213e22d12c9c9880c8b
SHA512 a7ed26cd83fa650adda8a73f1720681e6fcf9cdc68e61d2eed2cd67122b4f645dc31732682b6779d44b533687e2e49bbb23abd436613c6601c4c07f586782626

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e515a44c0c77a059f6cf45e326e72777
SHA1 5af1dfd70268536784323141b47d8d1feca913c5
SHA256 1cda28c3949d23be6d0e0a43fae11d25d5f7cbff551fc346872919efb35a674f
SHA512 87d0823ef3ef31bb4c11da149284cf3df6526262aef481a06703c86371dcd55aea77bcd91fd96de587b4e1f8d4ea94028e0c4b0c17112f1dcd328e6145c205be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6081b59a75998d3c2267e7a722100134
SHA1 c710bb5ae1805853b74e70ce139463ad26924b68
SHA256 ab25176b9da5ff73d37061bbb9f0ef473ff78b5c470f508e0dec63b826105a02
SHA512 1a7475a56d1d8f0386ce58c8fe6871d4c5fee70220e52578a7dd404a99ea1a803b80ade6ff908a7a11841f232ab7ba66e3d2d711d287a5a551af1a81b804cb68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d0fa2df4631babe1e76df96c851a858
SHA1 a2e14faa78b6d271f445de0eebe2d8161669e3eb
SHA256 882b3657296ebf4db3a1d2a04955d2290630d3c6bf877f2534b0dac2c79d5ddd
SHA512 c8eef2fadcd2d5e9a8b63c8ffca8f9ee3160722a092dce06143aef19f31941719ea4ffdd10813b2bdba087b99cf1a62fc6e037e3c9f4de1ca23d964e7d91899e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66a16159e8db7bff0a5664886e175a18
SHA1 04e0dbd2dc205c73038796f7c53104e3259ff210
SHA256 e42e99cdd3d1fa8ebf31fca83ed90ddc3feb5d74d5d5b9ff83b47289cbae647e
SHA512 2dc4d5033ce6b8cea78c4297c9e45e2c8f42f78ef97a8e71336b4a4615de1df9e7a1b4ee53c81dd961c9d550f86623f6d33a43feeafa9c5ac63f0613d227316c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 aea9cd92928759a4e7cbff611a93f453
SHA1 58913e4b5ce0d87682837f54c5218d61ea6da86e
SHA256 9f69ef6e060ecc1cd5f6b86753e104bb820cbd4c340b5bed594ca3eac69dc141
SHA512 fcec8d171f4d020cf23ef6bf710a3c5fbe04d2c795defba2d1b8108a583ba8757be85e528643af77a9ae5654552125dce2ee1f83024188bd73de336b57bb0995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de4d6e994e9caba480eb6564fe1c23a5
SHA1 cf1581b4ceeb1e64a5eb3854eb54995005f8047d
SHA256 f8e07b61c42e525dd412c5330a1644439fc0c4ce0858ceb934a9720c912cc506
SHA512 c44b2eaeef3118ba5b1154ef673d1df63912be64b6a611f686316c4084183eec7eef63f5fdf0c0c3d5e33fd3f4d5deb444db8d367efa9f8d95f154371c9c42ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9ec10387dad28322f1e1b1ec47610f6
SHA1 16781a2977a8151eff85813a43afd371b8ecb259
SHA256 aef5a9a27464e549798e80a9ab1ef51826b83399abbdcd5270b20ebcf8dbab13
SHA512 b3745cf5b5994460d0a524a07258e8e0e3f6759543b61965918f2df6b90ae8a946311bcd12635b42137c2d17e02017a252bc20ff1125ac137774c070766e9be8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c37e2cabf87aa73347049b79889e21f3
SHA1 3c46715f47a2c86b51eea9147a83894c4a68a327
SHA256 18dab8f4e406429b4332fbd8a06ea52eb12c5bc2791f6a139054b4a963c09bc3
SHA512 5e82e84543cae3cf51dc5375f19dce468cc11ab3bd92cafaea4488f7131416796bd341e8a27611d2463dd33515a1de3576a7509306fb1db38d37e13a801fee09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ca565903ed53ea0fc8c0bae793d56f2
SHA1 579f6fbc186b374ab2db88b25826d9e3a1710d7e
SHA256 5bb2f941bab163f0d28c332960e9229b4684a7d5da6559bd7eb47e0b22fcdac1
SHA512 f7c095f562ce9d97e11e99635569b381b372c1e0c67437dfa7fbac1d225df47ebe392860167abd51c66eebf6d18710e494900fe7f31565a3568fa1d929430ab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cc558b13eab446cbf688584b367a0c4
SHA1 58c70223414e51a6b754d127d6c3c30d63c3f1ba
SHA256 af85a95629a70a57ff98bc8892615fac3424d7c496d1f63c85ca76b26e594ef7
SHA512 a29b21ac1c3fcf0a4b388976ff766d50f1af9b7925474b8d2ac255db493ce83223842993cb5e04c7b064609dc86343a09ac007f400075e080aa7a2d2631755ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe83960eb9bf00622dd94c1ed9c9888a
SHA1 4974f737066e4c94556f048d94489d59e1b63d0f
SHA256 18b7b3c5e37bfa443d32106663b5fde7c442e78f008db27180d1297f17248bdd
SHA512 7aab947f03865d833d1808a45de93dc16a04d8a7a52f39e701860e16e4e56e17e94bf0b4a34bdae26ecd72bc924b21f37f1ed9dc82c1b62d9f65ef1cebe8dd5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 2476d77b2847d8607f8b164d2ff75ce3
SHA1 e748086ab048c3de93cd4487ffcbc524fdc49a42
SHA256 e1aeb85b2262e913343e6bae45817b5e3fb81045e5c884835af5035aaad08e33
SHA512 7cb6ac4adacfec94b8efe028be912ba67e7a1f4e2c10166c37c4c88a40ffe241f0afea447944b579ebb2797935c33171b77b343a0fe0d637c4fa33fe159baed9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14b4fa321836dac85e31402ba7da0c72
SHA1 2af3a9cf3ba750eeb52898729e248729379edf96
SHA256 1b3c75068d675f0e26e75ef3dae13cf41303dde29b92903349fb37a7dad9f4de
SHA512 1c77599349aac3943864d546a06635a670c186bbcd9f2969bd62f43070251f50777bf84f3ff7af406899d35797fb62230d44e5d81a0814cc2160fb94c5acd5fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 394db1b9e2415df99df047b05e4a4b08
SHA1 faeb3adf8272fb7cdeb29a78a39ab53642fa2b8b
SHA256 cf00168249fb06031fe0f4e910e58a8f41788dacc515b1aac6847aec43aee54d
SHA512 a581d3c8bd6db90e920e23e158e9a57868cf3c898fb56b63a88a24b3300e7992dda5f2c5826bf876263d7b91087412d9300bc2e1904c7a438a330199ec7f6ef2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b28ffe2c8a0fe191f80a6439a2ffa608
SHA1 33fc00dd724f3d995a7293cda53a1480278ec684
SHA256 4381cc374d68404885f2464e8c424b6d41c95e7664de3ab3fdacb47d36a81c2f
SHA512 f85278dda8788ae0d3904de0b92bca70c85dc4619fa48649c620027dc2d8b010dc9bbf015aceab9cb2ee9b731db545365b01e34b3db7d568e4b6f99c59c93740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0651539b69dadfc4d6bc252b1d3d155d
SHA1 8ca88a75168d8b66654ba98c16aa484026fcc4d0
SHA256 b790e9b78363ebfb3404b57f528a9e82ef901a13505578198efd4ec560867b9e
SHA512 9401c230997a54ccc051a4c4b9d648670fb7ffad2cf50be513f3b7c21e0ac6d7a96b3f94dd33933dcff5c8f7a2a428232f1f9851174829da310af7cf61298f48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34321598b69a7aa2494e473bbb22b47f
SHA1 9a58b9edd9d8df4b0efe4d16e08404d255eb0bcd
SHA256 142c5b344ac678322eb59025a72e022312e309bf21e3d95cbca13b88651d2cd7
SHA512 669f72fe539bee6492b0d1889b5a522581619d0d9131186413b5b8e0d704f4a68200d69450e30e40b8a1ae575c6d029f3d9c2d23b450a4e6ecd913c5382baa32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cda2693d251ef4afc62398089aa119fd
SHA1 0e023a1e900395ec344f3114be1be77182e9fc7a
SHA256 a062af5382243fe2986eced09af36af649449719c7d6cb19ea736a131b747cfe
SHA512 3363c71e652c35343c07f965adc6af7c37c8ec407e7f2ca568d26ec27959f6ac04add5212066ba2b00dca09da1791838f250df36432b7021dd23b689e8442397

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 beac6e6d201515d58616aee567464dfc
SHA1 7839b38e1ff9531e8bd09b74f729f9b1803ffeca
SHA256 0018cc4a3eb4910e5777861be60aec4f8b5f514b1a3d1615cc161268abb1c921
SHA512 3e337f250e7b3114cc5de97a9bcbdecfb34d0fbf4de878134de46e3d2b07ef7bc2ce256f4318be7e1be595a6983c597ba7dca01466717dee43630db6af208fd4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:18

Reported

2024-06-14 12:20

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 1332 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 1332 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe
PID 4296 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4296 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 3968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3584 wrote to memory of 988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe"

C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe

"C:\Users\Admin\AppData\Local\Temp\003ff3b8891b96b17e6130a539286cff73b37b2d4b4ca0adf24977aa7cca222b.exe" Master

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.30my.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe37b346f8,0x7ffe37b34708,0x7ffe37b34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7298617839656367598,15330969539654350701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
BE 23.41.178.35:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 35.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 www.30my.com udp
US 104.21.88.20:80 www.30my.com tcp
US 104.21.88.20:80 www.30my.com tcp
US 104.21.88.20:443 www.30my.com tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 104.117.77.187:80 apps.identrust.com tcp
US 8.8.8.8:53 20.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.17.3.184:443 challenges.cloudflare.com tcp
US 104.17.3.184:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 184.3.17.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1332-0-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4296-2-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1332-1-0x0000000000400000-0x0000000000891000-memory.dmp

memory/4296-3-0x0000000000400000-0x0000000000891000-memory.dmp

memory/4296-4-0x0000000000400000-0x0000000000891000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_3584_HPKQHLYKKVEWUSUJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a02214cff9f3d553b229ecdc6507ef6
SHA1 e1f64416491c7f9e8038d9034d4ea573b0afd24d
SHA256 1cecd88d18d0fd5d3af3c7d28ddb2c43452542210afb53c229eec94097f2e0cc
SHA512 8f3fbd3b9942f38d3aedaf419a3d86e8630a895efee6270ee8533e6412854af00b01814f1036664e41776fea21ab2ff0a100547907262acb5ad708db58ba9e93

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 285911f80ef96f0e6491cdd9afbf4212
SHA1 1053cab0272d3191c3a13c33f7e1277e476b6091
SHA256 a8b9bc9c03fa1fbfb2de1c474c30dc68b7cc0f764cf23528ddb7093780be73b2
SHA512 24c04d5f07a548a1d3871aae33a706c879f60ebfb62b783b37d25f27e65eca3e56b4c1959ea1789456f8363e421f2bd4681cf5ca410765c33d1766f7da388e27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e58711256d60e66207148c0b4fe5ba85
SHA1 11c40ce3847bbca6049af487d4a6feb906b78655
SHA256 24219493a95298fbeb1d8ad23dfdcabc4a4c321edd592291b755e618e79e3e05
SHA512 683cc05f17c144a546906f10fdaf8067d2495ff59e6d1a9b93f62afc7b10a6da5246a9cd5fd066f3bdb8fd5d2bbba7fb1262846d11e330f2ecd4b8d7478b612c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fe5058a5f77bf5b1bf9cfdb46a6072b2
SHA1 ebf32433e3b898b2c0ff8b1d93b05842a941872f
SHA256 f1f9a4f369285ae3af1837137c5a6386feb9250a59958c320ed3cb811fdd6256
SHA512 78d7aeb5d588a511b89aaa25ade6457e95d06eb3af94a1814511706296bf2fd96d017437d2dc99d7b362641731f2852ee1d1461a6fa23bcd5d9665a6737e63a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2ddec0973222d23864cae170253e7be7
SHA1 021efecf3a4d76b46609ea98b8ccde0496b0b9e0
SHA256 3d9cbea678558bfe06165b83d60ca798464b8eaffa793e450a4392416b629290
SHA512 1327ebe02f940d87adf7a2a8efee45abd4a79edeb70f7e1c35c2d4bd831abf42ed8bfe54b921d274fbca7eaf4310ac288462b5abc9dc17f9f4f985a88464a775