Malware Analysis Report

2024-09-23 10:41

Sample ID 240616-ayjhvs1hmh
Target c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
SHA256 c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef
Tags
upx bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef

Threat Level: Likely malicious

The file c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe was found to be: Likely malicious.

Malicious Activity Summary

upx bootkit persistence

Sets DLL path for service in the registry

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:37

Reported

2024-06-16 00:38

Platform

win10v2004-20240611-en

Max time kernel

81s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

Signatures

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsClientServerRunTimeSubsystem\Parameters\ServiceDll = "%SystemRoot%\\csrss.dll" C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A dropbox.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File opened for modification \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A
File created \??\c:\windows\csrss.dll C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629718638726631" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{9AF48081-C2DB-4B51-A893-6471E7F8BF35} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1544 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 4304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 4304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 2208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3124 wrote to memory of 3172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

"C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1408,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=1412,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5376,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5500,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5516,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6012,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffe09c94ef8,0x7ffe09c94f04,0x7ffe09c94f10

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2392,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1904,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2548,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4016,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4016,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4772,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5092,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5116,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5472,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5608,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5584,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4580,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=4544,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3580,i,4435073546619841093,11979310290036655447,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 www.gusanito.com udp
US 13.107.6.158:443 business.bing.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 75.119.206.59:80 www.gusanito.com tcp
US 8.8.8.8:53 www.gusanito.com udp
US 75.119.206.59:443 www.gusanito.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.20.12.101:443 bzib.nelreports.net tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 75.119.206.59:443 www.gusanito.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 www.gusanito.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 update.microsoft.com udp
US 20.109.209.108:80 update.microsoft.com tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 dropbox.com udp
US 162.125.248.18:80 dropbox.com tcp
N/A 224.0.0.251:5353 udp
US 69.64.59.144:443 tcp
US 8.8.8.8:53 18.248.125.162.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 69.64.59.144:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 69.64.59.144:443 tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 mail.yahoo.com udp
GB 87.248.114.11:80 mail.yahoo.com tcp
US 75.126.60.251:443 tcp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp

Files

memory/1544-0-0x00000000009D0000-0x0000000000AB4000-memory.dmp

memory/1544-2-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1544-5-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1544-6-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1544-7-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1544-9-0x0000000010000000-0x00000000100B8000-memory.dmp

memory/1544-10-0x00000000009D0000-0x0000000000AB4000-memory.dmp

C:\Windows\csrss.dll

MD5 7dd38f8951c2fa66a1291c7d297e1947
SHA1 a3feb1be32160c5196bba30830c1543958ac0045
SHA256 c6e185606e9ed62db354b8b8a298f470c01dcce8c5a4f409bfc5b918b5fd1c09
SHA512 cf6575bbcf7c8442e98d3e05519c79eb58a1e268acd1b66ce1fd8e9e8192a3791ce02474e5a41c4848644806dbeccb40dba93e6ad57bb37a5fa78528df0536f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2091d0e7140d7c00ebffc80d1fa01932
SHA1 2bfd04b3cd14b568983ea81a6f588ee2443d1617
SHA256 a453e55bd9aa728f4ac31aafefddf02ed8e06435dc908d1f973c32fe6ad5c6c0
SHA512 61ebb1e781b9afaf9d4f58e3a1cf7c9b9ebea9d74f9ec816476606c4f2d9deec5e1c57401d5eecfbd95b126c1a5cb0b5843018a18323a6505c7dfeb88837206f

\??\pipe\crashpad_3124_KDQWISZJXOVNJEGO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 436d81c7ab1cdb4a736dc4a4b767daf6
SHA1 9f17e3a3142e8b20f822da27a2f30e9f5b3aac04
SHA256 92969cac136ee7ff8f1b8106eaa67a07f168afc320d67525614d1b6c202419a1
SHA512 8c355c0ccc17e97a7ccc721be188a1d8470aff66d914915461e19d328b976cfdb8709b462bd0ecb193488246e9340c4868ef77eafd249df7e1bfec0367b4d2ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4fea3ee7fdf2f337eed9715582d0ce1a
SHA1 23a3a22b074c73bee23a12a683a9ad4cd793d14a
SHA256 f466529468f88c9c55fa92e690bdb04f9fc3a8e157ab9fc4507324aea925d98f
SHA512 81017ef2123bbe0b6d6f945c08b0ba77d8014c21734c33a49bbfacb91c4fe89bf5c9f2f0a2b47f97e36245bfb07d7909fea23da5b7a142c6b91cdd2ce772383e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856