Analysis Overview
SHA256
1f38d19213588d5c202cb33491175a72f403936ec55b9c88e2a6b48d8a3e122b
Threat Level: Likely malicious
The file file.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:33
Reported
2024-11-13 14:35
Platform
win7-20240903-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437670265" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000073e51fac0e727912a86e70ce60d3e7c585783a63182e22ee9e21343181f7a626000000000e8000000002000020000000484207810debabb366857f85bf0ae234093eaf99a5161176e5e30b418f64156b200000006e141868a64f5e599a95fd80b513a8fa589d25ab2c4e09d68b6ae3c885462e15400000004433aa8c9384ac0b63f9f17a99b20ea9a564d03ee028313f9d3437b352a220d943d29af45041bef35ab4a4a5693084a1a56a7438b0f7dc51d9a46da7c7c7ab23 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05c3b11d935db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39212AD1-A1CC-11EF-A0FF-7ED3796B1EC0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000084e9ea1ff911c00f7a5872fe71caa0e0a19542d79c48b5a6eab2633c4e3b1a7a000000000e800000000200002000000082104e3081f1451a795aa992f89fc360d4f2c73bef613ada58f58fb14bc89b0a90000000636b8a2bcc99dfd130406c50f13036386d4cc106c94a094c81999ea8169d3561755141340e874dd334974d83ea1399b37817e7c8c22c4d732b0292a6ff7087ee9b85301ae8dc2e8b5ce3dea55933dfc6e0098718c578886780fb13669b342359c4fb8f5896e5c2ffa64a6b0c7aa2df66fe48ec987035239e62ad31825e1c0286d8b4dac7d5307e3db413028b287ac98b4000000075fb13802fe9b95827300308300adfd5e84f47b7b8b070c9ed8c3500055687c67f0256e6d0b34882455ee2f5a36376e19149e6d1d8e76ec73d7963b8600d0c9a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2648-0-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-1-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2648-3-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-2-0x0000000000071000-0x00000000000C4000-memory.dmp
memory/2648-4-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-5-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-6-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-7-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-14-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-13-0x0000000000071000-0x00000000000C4000-memory.dmp
memory/2648-15-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-26-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-38-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-37-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-36-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-35-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-34-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-33-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-32-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-31-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-30-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-29-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-28-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-27-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-25-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-23-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-22-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-21-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-20-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-19-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-18-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-17-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-24-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-16-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-39-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-41-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-43-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-44-0x0000000000070000-0x0000000000378000-memory.dmp
memory/2648-42-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-40-0x00000000060D0000-0x000000000638C000-memory.dmp
memory/2648-45-0x00000000060D0000-0x000000000638C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBAB9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBADC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 3427a2fac267d3ba6c8925a0386e7617 |
| SHA1 | d71b09b051a01cab59eb2568a881c0267bccae3a |
| SHA256 | 156f55fc6a1a2499a40dcaca231d231e624b16720caae5b7252a24f1b1158f45 |
| SHA512 | d2dcc2d8927ff7b8038fc3b8898dc5bb5fa0449d175eed90ac5133a60d2c7a72d5a73f56788e4984bc21e9281fc58f058f6672f74ae6cecd868c74c3778eece0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8896904a1ab14cf4aa0490a43540af7 |
| SHA1 | 39e2a39061b585e5877f1e3b7a30eab41dbb39d2 |
| SHA256 | b0573f7a240e5d1697d070f65ee375e1c36983a7f19d4ba4a53ee501b3d2b790 |
| SHA512 | 4ec8dacd0c39ebba1392785a4dfd445a78cab183818a367f838e7ec1c79a3f76b06f17a667c3222b2901ffa0dcf8407b46d7aedede3f6ce978d1b3dd601eeb67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df83728d8de66af60d8ed44dc49a1035 |
| SHA1 | 1de5d08d290d7adddf53e496ec85a788ed753704 |
| SHA256 | 21c13362a9fab466c47798438a4a8ff360620b06a146abb2effc10cf9f265c0b |
| SHA512 | 8d4b4eb11568ae945c6736743afaa70f62591037b12b133116ab8da631546800b2be1b4c43479cedbcb6e008abc31b013423ff63e5eb94f5e2905268d162f334 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d19c24031b1ea601591e39fc7125ca38 |
| SHA1 | 14c91c7c400c4ce8d18899cbdc2916ebdbd071f0 |
| SHA256 | bf1068bdfa0a88184848d268e97afcdb3d7f0364257704b307d69ac20145370d |
| SHA512 | a3465e905b7b31beacc0c198f12469a93390f51907b5f57a66e193fbf7d3928f877bb81acdc53cca8db7b98a6e99e25aeff3e167091bcd5659ee91290abaff87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62bbd39d6f12fa532f90aace9bdd7c36 |
| SHA1 | 5c38cf3665199427d0d2e08fc1454fad0b3fde4f |
| SHA256 | d735056718fb545891a0d9b705c4965092ea15704bfd23c3bd8ae5dbf600476a |
| SHA512 | 516cd262cba0cddb4c745f503ad96318b102db01244739723f49c0436808bf465214634feb8725100ae2f1ff3f362c390fb628c86859c4926ef091b07702bf82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59d671c240f0f7fb8185a8d2b4e631a2 |
| SHA1 | 5c47abd975433a8c68c116a378ddc7e35fb85e0c |
| SHA256 | 46dc87a04f7faa6c2a501e601a395c4cf2fd2dade8000f7f9d10b623a250d346 |
| SHA512 | 169309616c9e798db99be1f152ce43062fefa56e2d3e82843ac8ba5217cc62859e37b3adc9d3ed709d96067851729212b2edb1ccdceb09433053912e00617116 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d6608b1badf7bb8e104fc54f19a7ab3 |
| SHA1 | 7c62f97971bb4aaa2b4247912c0a99b3d54f18d1 |
| SHA256 | 2135f227cc32f23b082ae30dfe106ac88273895ac174eba1e0c1a99df32deb03 |
| SHA512 | 5dfa7ba6c244bdc37f20ae0a7984c21a763bd67832e8363a0f29a8f16a0302b7c0c391ee821f4ad30b46eaa015d100a8680f8e493829baad400e1c307d411503 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afb67f4fac06b07d94185c7bda55bff4 |
| SHA1 | 69b328e061c826347432d528966296b4e43241ee |
| SHA256 | 7e00137a61e5ec8ae60267dd79cd3f1c9f7a8e73b11630b283b1f0e4e790e1ba |
| SHA512 | 713202d55d82f7bfa5903220adf7b6a50e404e659abef1ddbc3e0b7ff0cfa5b87dc5f26e2fe8cc144788134f882645f20b3fc1c0274e2301b3d77a9c45f3bc0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb9b29cd734302fd6ee6ecaa74d2c9dd |
| SHA1 | f182690cb8d86369a66836c22f9bb3ef89bf30ba |
| SHA256 | 0a50e65cc067ae3709c4967469b7fde9ca50ff0db43618b58a2fbd34cd148cee |
| SHA512 | 97b9ddb46518976fc16843b870d2611b6c612887b3657f0e8409923da91a045aad399f561d8c6595eb8a609ed62f7048a4051871e23b669b21ac5036ba83ba29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8ebee5280f39ebd6ca6d04216fe1461 |
| SHA1 | 8f451d5e05b8d9cec780915f33af4cc468b6cf7c |
| SHA256 | 8805b4427f286ee320a1a44505c799510a17f90a4445369b9971b7618d18ce27 |
| SHA512 | f633ff12506ab12f216d395a5ef1475f379efd136efb8f89124b978787f6704fa3279baecd2b212c4d1a418219a1e507614aa03cf49f2e92e0fdcf5af47c052b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acc18b94c9e69126d9203071fc9ad8cf |
| SHA1 | c9f1e585de448f3fb66f4da0cf2d1ba1c4086b96 |
| SHA256 | bf5bc27f6735d6a0e36e84326f858d23c37bd5c984f440070066b10dbd00a903 |
| SHA512 | 946e2ba43bb1efe5fa209c3a9af3fa7f6dc44d4708e8cbc4921af80ba076f1e041ce308ec9cd625aeb9ea35a46b2dd1dcab8894febda33271d860c80af435677 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2a4f711ec1e5a21bab3b04edb7f13f7 |
| SHA1 | 790facc4dd04fca6510008bea76a19d6f529e9fb |
| SHA256 | 2cd77c7a19284bedbdd32d615f1723d4fb4ef14f1db8a495fbcea73bf3b81240 |
| SHA512 | 40e18db2177d74f485b236b88c69400bf8ad0672a5c4c24612f9872461b29151f62f8f2aa6ffe0bccd7b9af37739b8aa5053390c4db5cab1d31791efde4def2b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ab42b30fb293b7112ed02a106c5f842 |
| SHA1 | 980c56b63d2ddf44d3f4f952ac72d6c3efcef111 |
| SHA256 | d0e3a57d6e992fe2611c680e7602115c1d30d8db4f75a1d54a7aa8d1aa11849b |
| SHA512 | e30d1d91e6626d6ef989adfd2b65e49abb93924d3ae18f1837f2f790e05122d56a0c44b7471a7a616d3299332378aa2cebf1d22164a69e0906243fa0f0e9b42f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5170c9816bdf1a1e24c3d32b58619307 |
| SHA1 | 4b8dc04b97b684bad3282f5cd6eaf7842f24f7c2 |
| SHA256 | bcad39c2bde0851f6480193571c0c777428ec3316ed6b6573c2d11962803d0d7 |
| SHA512 | 4ab9f4fc307c337447033da4851d8b7b1a9b4a25601c449f1b7def99bd41fdbb1479f60a00e48116f11881dec43466ae8ee3f62946f751c1ac4c45d03f686092 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6507f97e7d44dadec632c65183e526ad |
| SHA1 | dffa44d7afd76d944306553fdcfeddb814303d83 |
| SHA256 | 5e886361094e0d9b8894b57c09775cfc09de289e3efded94cd574bef3718e996 |
| SHA512 | 3ec3234737b3b2184848c25e2100c1a80d2086a1377399b3af8cfef366f7bdc5d0d214f3f5799ddc600a2b25f3246816e8c891cd50a0b4120eedd89dcd18276b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4583a5d2ab43b823dff079c25dec5077 |
| SHA1 | f872d0395a6642a3d375e97353c4130fe7baa285 |
| SHA256 | f7727090df4e923c0d0476a45818077048ec4134de778805e78a7c9f327e7455 |
| SHA512 | 837a3644d221d8d5e64c8ea573209d257c2ae2eda0d202aabcb9aabc3335d53b99ae25f7813949c1854842369735a3da92938432e77be5a930f4592a9d0dabe9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65c2acd4c849ddc22045216bf9de31a6 |
| SHA1 | 579078f18a72decfc6cb328cfcba847269894206 |
| SHA256 | 146fe9f7ed29914a2e3c73e06e0deba57fde6ea911a134dfaf5fa03572f64c5b |
| SHA512 | 81bec35eb2bd481d9615b6249cf9f7f803e30e9a30d4ab27565005da20addb83533574ee06c8c99363326975cd16bfffee47e17eaed7fadd2b79d5e0c3eacbd1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0151377617828b56a00176eef0d59df |
| SHA1 | 8e2133e5c9d127f521e17ef5ef7f12a2fb4f92f3 |
| SHA256 | fbce434ea7a93cc1f009d7c44479fb46992a924bf29cf505a227f9200d83128c |
| SHA512 | 4c2a6ba11d103d7de8ef2a46fc571155f7708dcc88f4a1b37ec6d3e65cf0ee463b5628a6491547625487802d3d2a5983e570c20b48505e71f92b9e4d33feb090 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c90c821bd733e7e4c03ee4127a82784c |
| SHA1 | 2a4bad599d48ff9e420f27e99b70f49cde759f24 |
| SHA256 | 90d2bf952e61b2109dd35d9681be3c2ded48aeffd21da58c750aadded7831609 |
| SHA512 | f0cab72d1e8d5d08929f5191aa8889163cae7a95e31987140e100e34e6d9712f6a72a88b8710f80c46030c4739cf419926d57cd1f59c875cc73054d801fed422 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4045109f2fe24cf5474c08036f33edc |
| SHA1 | 98fcbf7c11a5fd26855c0a066c571b0f1d56e926 |
| SHA256 | 656984e34a13f3239f5152c7e5f5b3cf0981e953da01a34997353c1d7ae4a815 |
| SHA512 | 77621141a46725a3a97fd5e70d512962bb1358a40a9993ffbe2480eb4817757f2a545d929978ef4206d62b613ee842d2006f3158a6cef0411f037d5db436c06b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5683f408120f078741068eb4aa414f92 |
| SHA1 | 8e1f0f30ff20027d5a1cf290cb3a7a1f4664d6a1 |
| SHA256 | 916852d68b96067c480b7a109a292aa59fe3e896ed104d8be413fc9b42f3497b |
| SHA512 | f2ab62521b53f050b0f55ed149642be13c76d180491bdd8c9c754f837f2f2ec7ca41f64d4db3f4beabacf7e96128707848f454a1242bd3502579906dcc3b4b88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19ae30d29c9a3490bfcc1b0311d99e44 |
| SHA1 | d9c542c7d4bf8bde0dd274ca6be1c80a056020de |
| SHA256 | b8119f8ad24988bc0ddb75eaac772334536e62a39b37d62aed6eb1ad6ac5c1bb |
| SHA512 | 931855f9cc9ce134b2a537107f7a302f2d8c8cb9039547f34d44d590b918c8f69180ec821d40d490507d6b9954da51f4d46bce8198d497f3ab276cd29edeb11f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:33
Reported
2024-11-13 14:35
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94b6646f8,0x7ff94b664708,0x7ff94b664718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94b6646f8,0x7ff94b664708,0x7ff94b664718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1662572504031550703,3803286072069483888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3100 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.150.67.172.in-addr.arpa | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 3.26.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.246.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.7:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 20.189.173.7:443 | browser.events.data.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/764-0-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-1-0x0000000077704000-0x0000000077706000-memory.dmp
memory/764-2-0x00000000005A1000-0x00000000005F4000-memory.dmp
memory/764-3-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-4-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-5-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-7-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-6-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-15-0x00000000005A1000-0x00000000005F4000-memory.dmp
memory/764-14-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-13-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-22-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-24-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-34-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-39-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-38-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-37-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-36-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-41-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-42-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-43-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-40-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-35-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-33-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-32-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-31-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-30-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-29-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-28-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-26-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-25-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-23-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-20-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-19-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-18-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-17-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-27-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-16-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-21-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-44-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-45-0x00000000005A0000-0x00000000008A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 34d2c4f40f47672ecdf6f66fea242f4a |
| SHA1 | 4bcad62542aeb44cae38a907d8b5a8604115ada2 |
| SHA256 | b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33 |
| SHA512 | 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6 |
\??\pipe\LOCAL\crashpad_2692_KPGNUVKCLBZBCNSJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8749e21d9d0a17dac32d5aa2027f7a75 |
| SHA1 | a5d555f8b035c7938a4a864e89218c0402ab7cde |
| SHA256 | 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304 |
| SHA512 | c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 340977ec2d8d5eb949506ed2990beb10 |
| SHA1 | 1f2e17093505ac286631cf7f368f0e1c012fc979 |
| SHA256 | eac06ea7ae19a21f20031df3ad303f314c4ebba0c982a8638149515473b4a1a5 |
| SHA512 | 097ca9a501de4b15041ee61e0019304b764f505a4314b355c99cf8092709ed7f0cd8684a33e8095dbbeea9e365b284227a2f68930ba1e2d5e87affad45870e15 |
memory/764-95-0x00000000005A0000-0x00000000008A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/764-104-0x00000000005A0000-0x00000000008A8000-memory.dmp
memory/764-107-0x00000000005A0000-0x00000000008A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 150c7d5f895f346e362217afa825bc60 |
| SHA1 | 89675199f00b602aa4992e9a537624405c5c0423 |
| SHA256 | fe67986295b3e8139a58d6b4a60419a4c84a3a91cd02f4208df7bed04e4296ad |
| SHA512 | 88c2170108e3562769c466ca5b70e0db12758efecc898b69d2c61324b75ceda5588be6aa2533994d6fc0cd6b392fdf92d67b761a587f646f6cb93001f04e0297 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2fb15e557b5ca89e6216bb47b68955cc |
| SHA1 | e673e3937b2dbce1c9170d9f042dd26152a0436c |
| SHA256 | c9340049ecf80342e370cedc0517ec43233c49717bfea451337f7201dc821998 |
| SHA512 | 72714cc3d5dd4aea2f917786f8f717ba08250a60101c459617a9a2a789c80274751d8973d09f2282c4ca1c3593a13b20593928fc48aca6ba45c7a4079f373e55 |
memory/764-132-0x0000000005FC0000-0x000000000627C000-memory.dmp
memory/764-158-0x00000000005A0000-0x00000000008A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3648c09e81b13a017dc2e40de57fa1c3 |
| SHA1 | ad2fae924c5de12f852c5e569def2e86548cb357 |
| SHA256 | 4f42442d740aade582c08eff5bd488fd3a77be8b978462b44e9b3e53f4c1731d |
| SHA512 | 07b2d8dd5106be923b80c7dcf7422a43effe341f1091ebf3620561a61f73c194d52280e8f8f31a348ad33b35be43f83eeee05ad559af85ed727b6735c2f53003 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5808e4.TMP
| MD5 | 033161ccc3ea4c3d8767fe55cf9dcad7 |
| SHA1 | afc97bf5f4e62c803f23f5139e99c67f93e5f7ef |
| SHA256 | 802499de601775b22df5d09db20a85dd6515478750ca780890078544bb1dcf9c |
| SHA512 | 28541ed96b4998e352624880a9f961063aef34b6128fc1e86dd5b2705a8337159f1accf09545d6996a761bd2ff5d697212e51b55520f9f2f11d7c20ac71ba609 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e8a6e3d297e5c45b094bbc7e208d1a9b |
| SHA1 | e054cb395425435e55df38d3e6fc2d9b5ef5bd41 |
| SHA256 | 47909c34aab3c55b634c907dba5813cb74228d6eb42050edc3d3d64e88c2b841 |
| SHA512 | 401f62d3278d302c33f440a06c934fda3bb4b9645513d4e80a662070f0587e3fd6957455eec46a8f50f4ac305e7cc267532904203eb9195f91c2ab017f316c10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c04214c19f8c05d2352ebd97386f90c3 |
| SHA1 | 1ad7e97fa42249b3e42a9bacab049253c2ad3793 |
| SHA256 | d4edbe9fc7de7c31bb6193a47cff17ffae84933141ffaa57a8c86b71ac389efc |
| SHA512 | 359ec2ced9960e25f35e409e45994eec32e97004fc9a5c5a5ed9c0556c2305f7fbd0c0189b1036bc35fd91a6dbc4f42fc901ae3646c63a6d45815beee4b2a70e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 05592d6b429a6209d372dba7629ce97c |
| SHA1 | b4d45e956e3ec9651d4e1e045b887c7ccbdde326 |
| SHA256 | 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd |
| SHA512 | caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa |