Analysis Overview
SHA256
b88505b4e2fe71b841b722d32fd939c54bc89e0acad6d9837110d85a109e1363
Threat Level: Likely benign
The file External A New Audio VN available from Matthew _2112779118.eml was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Drops file in Windows directory
PDF has QR code that contains a HTTP URL
One or more HTTP URLs in PDF identified
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious use of FindShellTrayWindow
NTFS ADS
Checks processor information in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 11:31
Signatures
PDF has QR code that contains a HTTP URL
One or more HTTP URLs in PDF identified
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win10v2004-20240611-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2816,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:443 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\SysWOW64\PerfStringBackup.TMP | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\PerfStringBackup.INI | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\inf\Outlook\outlperf.h | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\inf\Outlook\0009\outlperf.ini | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE | N/A |
Processes
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\External A New Audio VN available from Matthew _2112779118.eml"
Network
Files
memory/2972-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2972-1-0x000000007346D000-0x0000000073478000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 674790f27c738abc3545d41de3c6cd82 |
| SHA1 | 08e0aed17f508247287c44c3d8ce92e8e0b9cc4f |
| SHA256 | 6487921e33b8a9db57ccde458d8aa8554c06c745bad7e7a2c025b7f7895d9d20 |
| SHA512 | 6859ca67d9de8fafe9ef5f0140b0c2d7c25c35864b1f51631920a0678e238799132b08ae9fea038f9e295f91d749914a964a3e2c0c4744661176492d9fb0d803 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 0a1fe78b67f18e166f75db07a4f696e9 |
| SHA1 | 272e0429376f72eaa97df514c3977e4c2b929059 |
| SHA256 | 219a97f83e45eb94954717b08ab00b455cdf1e14a9017d0309fa29103953d8de |
| SHA512 | 69b268354f02f74e1e4ce9bb852b1191bd71941b7723d4e0d7edc4ca0b9c5b2b8a7121cd9432eb7f765f23835aa2bd0b23d529afd35be539a9968e89d29d9ae2 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | eb82a5565ba4e02617f2aa74bc74aea6 |
| SHA1 | c18c0bb6ffd607a91d0b728b289ee590aecb6dac |
| SHA256 | a21922db512c5925803697dade2514f5e4ee5e7f132af9f24e8e4cfaec4c0929 |
| SHA512 | 6ca2df34fdf21b0bc8dd3f1ad1ca2f307d0d881eed8c5d7a83a5c6015445db1a6714a37fdf8a0385030d5ae482555b4baa56591a8564c1d026ade72b23b4ba63 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 1fd96ecd2fc71f281ee9eba9d1cfeb18 |
| SHA1 | b54074ac218703aee3f460e021b318b77c4fe860 |
| SHA256 | d074f64337094e3f42bb017bdc2e3a908f4ce1ee6b5b53d51d7254ee92f98130 |
| SHA512 | 6bcb2e190e73bcc44441cca76aec54684af03c3226882f1d00dbb4b33af7e316e3af2e9c30617ae5f9475c4af5cf05849dfcbd24f906496edfd244a0d80ebf42 |
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
| MD5 | 48dd6cae43ce26b992c35799fcd76898 |
| SHA1 | 8e600544df0250da7d634599ce6ee50da11c0355 |
| SHA256 | 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a |
| SHA512 | c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31 |
memory/2972-124-0x000000007346D000-0x0000000073478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\External A New Audio VN available from Matthew _2112779118.eml:OECustomProperty | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\External A New Audio VN available from Matthew _2112779118.eml"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win7-20240508-en
Max time kernel
44s
Max time network
18s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\FZDVFGZE.jpg
Network
Files
memory/1252-0-0x0000000001D70000-0x0000000001D71000-memory.dmp
memory/1252-1-0x0000000001D70000-0x0000000001D71000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win7-20240221-en
Max time kernel
94s
Max time network
16s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RingCentral_e-Voicemail.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 79e008b653b041e622b40dba7ebdb6c8 |
| SHA1 | 95a680ce4aa634eaa7a88ffcda38fb9c68bea490 |
| SHA256 | 91c550ed494ca78f44838ae11f2f6eb73803e26746afd258cb84c602aeaef5a6 |
| SHA512 | 642da0cd9e9ebfa1ec6085a5c3d2d52903c1be927e026a489c4fcdbfbc205b1867dac568fba601af27d02b27c1d5bcc5c0fcf766acab4d52f24686d633119428 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win10v2004-20240508-en
Max time kernel
111s
Max time network
53s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RingCentral_e-Voicemail.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5B13DE5B94C0DC02BCA1DF983B9BD7A3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=04C5F94DB57871EDAAB9F06F494C5BE8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=04C5F94DB57871EDAAB9F06F494C5BE8 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDB544E8AF49F7170B000CFAC54BEFFC --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7200D83889B395AB2311E574E0D4A8D7 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D630EBF4BC9A5368441995048FF0BB4 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DCB22D1AEDC16CF257EBB7617C9584CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DCB22D1AEDC16CF257EBB7617C9584CA --renderer-client-id=7 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job /prefetch:1
Network
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | f3552d980311600352957c3982218a12 |
| SHA1 | 6c6963ad25fa1a57febba04881c6a02d0d0e924c |
| SHA256 | f77cab4c8f71ad869634ca61f88806a99203ee716212f43d42794cf1bb8ab756 |
| SHA512 | e1abd02080b56fd7fade41e39484eb432d9e27abf2585da69d86003266053d27a3a315f228ea9b753e377f53ac5616da593c950a851ca7c679561ecffbccc802 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win7-20240508-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef64b9758,0x7fef64b9768,0x7fef64b9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1528 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2220 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2920 --field-trial-handle=1200,i,12643230152863384148,1578129928424753805,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
\??\pipe\crashpad_3048_NGKNZIDYOJVGPEHZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f892e4730da096159da480ab69dca85a |
| SHA1 | 2f9b1f77d0575bbab2554da928c29e890f06e305 |
| SHA256 | 9450fbdbfe5a91673b567bee003582c7842bf4ab30286ec3aaa3602503c7f213 |
| SHA512 | 295d592e129d5aaf882307681ea6eb0beb811d3630d064de629511bcd5e8c1a91d8d5a9d6862730f25a05a35386b8b15eab8d663135c07eeae536c57e89f8c27 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 958a856dc749abf68152e39d17b8a504 |
| SHA1 | d3bee8c7bd142d1ed764837476998b3392ca5571 |
| SHA256 | 7ffc4426f3b525d0f322663928afd1e38fddefb654baf38d16a7a6dd4dac254a |
| SHA512 | 2b6dc1feea0153c5d84681fe8bb76366e5524af11d9fdc6dfce8b1d697ba81fc12755c7105f3e594dc36796f33a74b153d11e7539a59034f35422975a161fb35 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win10v2004-20240611-en
Max time kernel
114s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FZDVFGZE.jpg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:34
Platform
win10v2004-20240226-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637023251818941" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ce9758,0x7ffee7ce9768,0x7ffee7ce9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3240 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1880,i,8401010653269518684,4884310812029170602,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1436_WAXWGKKDHFTFLUNO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 072580ffab3061063809b74875b1ad6e |
| SHA1 | 185eaa5272d410fc2a15928da681ab4b19a9da4c |
| SHA256 | 8b14986996476fc5979a1fc84d8bc14c7b9a6e94a8a07a31a8e22c091a233fb7 |
| SHA512 | a015b73362df80d204d2d71a944bb9fd59178519c683de07583f854187e902ca14d99b69a0d7e54b51de5d4292fcb9949b309adab0004a1d2b6a0471baaaf1c1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fdd1d5d2f1588d04627408d1d5fd93c4 |
| SHA1 | 75a0c2dfeb5e0ab7a7491f4f13e32fac4fbffdd1 |
| SHA256 | c9a1185b10515e67f3c950d9a7d2d582e22800d9edf68b0780b8aea39867df2e |
| SHA512 | 30ee1b9bb3dab14af03f35473f6891026fc021dffd7edf85620e825abab84474af176d5a1c3f7a1d3e14ea8b5b79d1e786cfcc8251df962da6dcf7d637e83312 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 321af73ec223f7341a2838ff0ac89528 |
| SHA1 | 1bb08633382a31adf84540eacb7851978a525c35 |
| SHA256 | e2c972629b5a096da3bbf8b7b3f99ecb908787d239cb490c0ba0f6cfcb3b1477 |
| SHA512 | f2f52d8ed8b2563205dd0d8b7039a812ccf467d8567e3937b7aa38fbf856f13d27f5b6ac277aa4c28541fb08262aaac60edacffe95106639cca6e255252332bd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d3a483efb866e31ebb9a8a8a20e3990a |
| SHA1 | a6a4c2e05b4bca7da898b2950aa13a3aa91566d5 |
| SHA256 | 2dd171f35214eaee7e7eb627b4ca00045a848e6627a32fec2cc4454f790c2209 |
| SHA512 | 3e32d3fe02a4a53aae79040a2f6d4752d38eb1f90ee173fc23d6f0248e590ab57031a1d58fdb38ff4752e4a03e467fa87a0ae206cae000c9098929e519715202 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-24 11:31
Reported
2024-06-24 11:33
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7782A611-321D-11EF-A1DE-66A5A0AB388F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000030c7253e94416f383864d1ba5ace40baf4401042fbbc9d98842690c078775073000000000e800000000200002000000077b04527ce4a933de3515c4b311a2d60fcc17de8e9b5a78496214bff851cba5f90000000254a7548e38183d510196aa56b60d64466c0ae6ce368569567284aff105289f337a272fd84ef15e388a608301b4e9ec9bc5e2b96332e36ba6cebc7f99852b2138310c5e09f37a469726e7554d67bb5dd7f03ea047879551c872b1ad368894682c3b8be0b67008c80e530e3ddfcaa1d73980a952d0e61209074754c26af398a5c15289f785821d3882dccd01bdc260be140000000051656497607ccd77e13a265d61013752a379023fb550c976b2b79f4d91cda5d10fe9b6d90fbd9ca6df6f325b473c435ff3359cb78aaa926a2ce4bb2766f4bc2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425390628" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000006298edf978092fb0943de1434362a7e5d8d41feef5cd51dca35badd0f570698f000000000e8000000002000020000000fd5ab2af32c6aab037bd3dc9fdc581d488fe3415ade442cdac5a9e2af00c4810200000001cf673303026e9eaa89a6bdc96e029139df99546f196bc3ec0131a0c2a014dd640000000ca265daab36ca3ea04412aeebc09eafdde54ef58bc0efb8ef4e7bf126d0d26fcb9d808586c9212e35d82ff91c97b9af8954cf67449b24630e162840e8724e927 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0044204c2ac6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2200 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3036 wrote to memory of 2200 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3036 wrote to memory of 2200 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3036 wrote to memory of 2200 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\email-plain-1.txt
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DebugAssert.htm
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5C3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0900433146621fd33420e1cd48a40ec0 |
| SHA1 | 7b39eba82f8d92a2fed0f9b4722ad0e768fdfefd |
| SHA256 | 3857809d2a8cedf1333ebe7b22c66150ca01411cb4b736af49a4ad90748615ad |
| SHA512 | 6bc6052ea14edfeafcc0255078e00a972dd8251e6b379926a19b11c94d1047dad56ff55f2358b838f3aee83b496ddf85dab6af8fd3c24f3d763e4a6ec7c351c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1df38aaab17863a46d3c304398493fb |
| SHA1 | de9245f1661a1f2d67e9a0de51017da8e5e8ee38 |
| SHA256 | e8e9ac2c783e6ee1f8b71a91e5babd247533a987f099fb31b5a453cc2ea8f4fb |
| SHA512 | 36867ccf418ac9b0b16a5240bb4b3a5c871b8499496533827080fd531fec46deef461a3e0f80e04332c45bf1a64097ddfef58e0a59b05aee5dbb42adda581a72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8300a2e9d0f0e277f025d519ad0b8693 |
| SHA1 | 72a192788bf4763845c207ca5e877d94072cf955 |
| SHA256 | 1d2664121c7b9b38552d5cd6101ea4c2bdf079f9b709827ef7885c961f3f54f3 |
| SHA512 | a6caef922f237074bf3114cd6c594c479ddd0ba6cbbfef2e3536eb84a4fdbc4aa5cb1e942cdc31b3539c92ad917280ac9aa73074b4f13da9cebc7df618ba1eea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b74ac604e0b4fa6c08f505c3f77703db |
| SHA1 | 58f6f5734e11e276ff679a28936a69844de0f738 |
| SHA256 | 59daeec52a4585099af9d12a66f2c004f5d64cf44c762cf52046e5cf2755d8fc |
| SHA512 | 4a70fcc2d0a6ec8d372671169fc278217ed3fb983a0685fb6af2efd65b3d6073ce8eec66070e8cc969a366fce44d9687f14aecefa57c7eef9d8f1100face716e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29a21a420f7df48f7fb9754d22cf79af |
| SHA1 | e39ad89a771625e806fcfc70c33ffbfd4257f28e |
| SHA256 | 74b79347df5ab02a784df10c7e652213b9c8e555cc5bf462c9783936e3bd76d9 |
| SHA512 | 84350df32ffe341a20df4d491fa1a24c0a0187641939c2d47709f904d2427d2eaf405e5234bac45c5912d44ac51c9c532fc09153251523da87d16fdfe94028f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | defb5c13bfebbc24e372536a834eec03 |
| SHA1 | 4200b4608b3155d30f0578c177b9297fa66ad340 |
| SHA256 | 74178ea3e378427034ef75127fd3e23c8801bee6e0513b5a0f39307736aa8b9c |
| SHA512 | 93903107269ef8d164944fd89f76dd5f5ac594a8c3dd1aedc834268a4e37e5b6d7622ec672a6032d931c53547adaf65652b00da18332e56496941b44abda8baf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24fae08f66fb66ef63a5527766ba0d8f |
| SHA1 | 3732841ddd2256f30f1068be45e80515dd5c57a0 |
| SHA256 | 698d45e9c64b8a6bfe372ce5af4a0389cd4a3fe0fcc6802d4faadf7c6d3c9b01 |
| SHA512 | 9e91b2fe2e870954deebf8f4f566acf4a358bddb1bcf2cd89bbf7f24f4291b245ae2c7452b603fdcfaebfde12cb5a49f7a42ac997b98d8f1db5123ef8e29c26a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc398ad2cbe6019636f281f4d1327960 |
| SHA1 | 1a6d7a501ca16cbe9887090506ce6d73a271a3f8 |
| SHA256 | 7b7e353bc542a4d5306b9a987affe0e53e3a137fbb8be45fbc6642c1cac23912 |
| SHA512 | cfeee5bd8e16f3cef865d551bff8916774ab1f24af9039c7df77d9cc7934dc292df06e1dd16e6d11fa5284380104ed60977be985a74f1a643c964cbce552e8ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62d0828a8bdd7afd11e2a2296a23119b |
| SHA1 | ef4571e517fdfccfc8d54abac67439eb5f6ca007 |
| SHA256 | 83a885ab5da5a0df7b0042891b0de00b5029af7140270ad717efee2ab8fe4d5a |
| SHA512 | 3082ff71e57b779c91db4ba9ed0ca0167027686b14df1871c332f722fe49caa36ab6da832dfc1f64e5c167bce5b123c7d8edbd9ca177ec91b2096322eec245ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf66fb36e4c13b917417528210130c88 |
| SHA1 | 7befad9d62ded0cebaaf100beef93afbd139ba2c |
| SHA256 | 1bbf88d798ea0752bc4851dc12a6ea1658e088509d2d348cc96724732f1c5f46 |
| SHA512 | 3776c070455682c3b49fe61b91e4de26449a29bd88a7d87895f31aad186f15050f8e224de3b42e79c982f1c41e53bd96d07ad70b3ce89692db4428394edbb292 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31bc3ced2156ebc68bce456c42576b9a |
| SHA1 | 8e2fd341a26a36d314f51fb9de20f1c110dba006 |
| SHA256 | 062d0a5893c50cfda9ce54d9c8d77855606fce6412fc3f6bf284df3e8f7ac3ec |
| SHA512 | 0a26d1c3887b556d9a8330517470554a8c015a0b673366d3c3b2982db98d014b204737478d59944988fe1f8f7a5da2f6db801f03833e205cc28536bff8ff164c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11e5a52fa5cc1159ddaeb9233d57d9f1 |
| SHA1 | 913546d2ab789e96d6850d4ed614bed3c28ad899 |
| SHA256 | 974634445555b78f17afde2513ed913f53bf341b3f0fb20d3ec611d9e5a1f555 |
| SHA512 | 005084ed8fdb4b77fa46513b54a6b93bbf57ac35f65b84b4c5d6ab724ad2e0f482d40f11a18fb7c3f25a4cb8ba63b636375755ebb99e9a07ef0535e03c40b72f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 481eefdf6a5c5731921464ab0979d44f |
| SHA1 | 94017bd6177015dde27f01839e4a9f3d29834e50 |
| SHA256 | 95037c806e1834bee1ef19a0c42a6e5535cdc7a341482467d9ce74122e7e47a7 |
| SHA512 | 1f32efa9b640558391f2d379633a98d4b8e67f6359926c1ad99666cafd8541e1f9c631b9746246b3090e1cf6a44d29d26dab2c76117b26c2ef4fcd77ac172201 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f1f35d0630ca76a1c3d261e0f27f03b |
| SHA1 | dd72f3641b91ad1612e330e87b2c04bafdf962bd |
| SHA256 | c25ef5f064350c1ea036ef3e42f6a7f171cfb3f10a0cda3df27df2a833407aba |
| SHA512 | 39cf7a33cbbdb3cffdbfd5a6219fcdc563026c3f66e0a6a367d3cad5aaa0f9bb3130032abde26ad8d110d1f02fa8ba07c0feb92c43c23ea284e64e82b7e604f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d98480b6665469b66586e166eb62710e |
| SHA1 | f40cca3e8c3b7d0ee661be2e530c110efc7d3801 |
| SHA256 | ea401a1661108130b0e789a78085d2986ee0c1ef73b100b2a82e64cf118847a3 |
| SHA512 | 6e92cbec30eb95dfb07aed59375d2c5fde3dbeaa28fc00eb5de22f10c809b1319653f0e6828bd0531ec7967ebaead39dc19ded3d2bc85f31a2ce3e23ab661861 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c0a48a1b4cb743a6a7340551bdb307d |
| SHA1 | f1c54bef1db88b994ae85dec3d6d4d60f4a4a98e |
| SHA256 | d8b9b6eb0d1f6fd931d7c118a39387339dd0c3ccc8b67d4d04b64ab25fa622ff |
| SHA512 | 5396a28293878a5f59358c9b3886cbae8e3e4c01f2e4258d2ea3afa3e73dc5416749dcd35a4b40df07e1668d7ca5d29113b8343c819c37156ab01375250485d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 55835bed5ae7a6bb75a189d252e20932 |
| SHA1 | bd466b03c166c6e130a21baa4755a356403f0753 |
| SHA256 | 644d3748225c4b402868bd8b39ba32fcb53e859305964a107214602f44608563 |
| SHA512 | 9e5eeee33bdeabe6e5609a687b45d967305fd2586b9cf13f6109d5e59dc4aa3ca26320bcfbe53b1844ae4995925f75e82d20bcfc3ad855757f602dc0e6e4f263 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35feef09157746bf9af4fa46dbc2a765 |
| SHA1 | 3f93e2e133d1c795e12e6bcec0328b607b2df745 |
| SHA256 | ba54e3711948d1bc00b4afaf81badbdce24dadae84eba4085861c0509b262dd7 |
| SHA512 | 9f161436897e20db40a52180b6d687422e688a23243fcec0038fd086859d7b52a86255bd27a04948e161eb1e652853c407b106e972ce3a90c37479b11a9ca189 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05a3d2d6916cbb845b26b3662c06e563 |
| SHA1 | 3e00034a9a6b6c59c6a9b306ff388fb268c2d3d4 |
| SHA256 | 8f105c425f17238e3508f2511f3fd15b397efb3f3da246d7b5cedcb550968aad |
| SHA512 | 2cc0d30b29feb59e1c1fc5cbc83c3fcb159e71c829c4ae2418a5ea8f8f168181e4c6c0d55fe7599fac87f79a689d203ff0034ea13bf4779bd4caf46ba54bb63d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dfa5ecd5719e0ecffb2c609000036d06 |
| SHA1 | 6409a4a6271d181a3e8f69699ec0ccb15373365b |
| SHA256 | ad10bae3826b4aea23bf0b9722f8a0da391d16e39a1277d78d20ad9a23f6aaa4 |
| SHA512 | 4ee3591bfd5c486d94e680ad036dc05ff6d7bfe19c863ba8ca03eb6e2d9af3b56d799cf69b83423f12fc653ad3b8877b988605b82fe956fccfa12ef52d9e22af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 68321f3fe613398288a408bcd95db088 |
| SHA1 | 75eeccd5f41f76e7db14a2e3c312623cc45a4c19 |
| SHA256 | 4cbac3921a81bc43fd941e4151ba7957c14007e189b8238691292a7c59e45af2 |
| SHA512 | 3f88b2c7dc924e8e490310dfd7b56c723e9a8092e4d54b69e09d5aa11aa420f10c9fa0b6e77823585cb30e5ed5f42d4abc409619ef4f8c3c6f2415cf39e5fc38 |