Analysis Overview
Threat Level: Known bad
The file http://youtube.com was found to be: Known bad.
Malicious Activity Summary
Kinsing
Blocklisted process makes network request
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 15:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 15:33
Reported
2024-01-25 15:36
Platform
win7-20231215-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d404f1a34fda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BA67671-BB97-11EE-9E34-CE9B5D0C5DE4} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000ff0825748bbbd1491fa9074048181e2f8caab4c65ac475dbf490b13497b1c357000000000e8000000002000020000000a04eecc97a06059ca3273fed17a64cb0ffe48e82f1bd363a38b6c893930ef8969000000015f4a42e6fc46d3fb72fb7a99694bd978466353d5543e14fe896f49b13245b00e08e8f6c2664641a417b908367de2f1d7ba2634b173c6873ea34523a3697713d2a5d03de75a8024af31cc9b542e227bdb6f36f0e71b53becb90a8fdf772ab43c2baf0137342850e2c510b50c6bbcfb3f93093ab4ce864a33676df9d520379f900866d24d8cbf2d2310b5cab81a11cc5c40000000e276e9ceda371858272469f7a9c81336cef79d8bf333a5264834c51aa27f682821c994011e2076cd3925d5674d19f3cf570e4e1b91f89873cb4058f5523d1e8e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000008d44e2bbf114545bf6f986f2350ade2354d8ba20bc29ae33f5d4595870f6614e000000000e8000000002000020000000d7b0f946a44c3c13e985a0ac41be0040cdf9772ac4488ccbac83fc12f1912ec820000000bd267422e362aa5ad87bfbf053172f38e80da6d3394a6ab7fda0b9b3bc5977cc40000000515260e9775e344070741495e35e699c27aa3097216bbcc161fff7bd22e5a69697ebeb2b7dd2ba915733b400b89ea7b563a9fe42d4a712b9fda153143a4fb0fd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2128 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2128 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2128 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://youtube.com
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 216.58.201.110:80 | youtube.com | tcp |
| GB | 216.58.201.110:80 | youtube.com | tcp |
| GB | 216.58.201.110:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\02cy2i9\imagestore.dat
| MD5 | f5c0d5787b9cd5f1c55713c54ad8661b |
| SHA1 | 13c26f587d29483ac2d47a310e0ebb3695bc6dbc |
| SHA256 | c4d1c4adc1061bd0f4e6496aabfa458884ec6fd77c32f39794836757081f5225 |
| SHA512 | 0a3f90e970a5b4810a5d310e239f797f6b8ef739a44bf736a5667583827b72ef655fe94baffc3d5cae4afb27650c4b08e7290cc22122c6c5d91aa1206f9f7749 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\05ZIV8W0\favicon[2].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\Local\Temp\Tar345D.tmp
| MD5 | ff49e2eb065eadca69b00510ad17e707 |
| SHA1 | d9746faca974c5a3fd121f25caf2f97181d8fb3d |
| SHA256 | a0e2f11722975fe55fb2981744d79f2b25588537b3df834b4ad7c965d9fdbf43 |
| SHA512 | c183e7b346a30d54bbdd87dc2c476d9644b17c01d5c59a5e2ff6d39ce0c77ac155c96f1cba38a4e14df17da32e41430e9d66a24f5aeffd63430739fbda7c3220 |
C:\Users\Admin\AppData\Local\Temp\Cab345B.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c6eb67f4515d76a8c111cd4e6231728 |
| SHA1 | d064d9c86e91126f2c3344691bcaec0d8969914f |
| SHA256 | 289ff2e3966003afb78ccdd4bb6e2feaac2fb5fd5209ec8c27801453f62a9705 |
| SHA512 | 43d5ac6d63dcc2d287746106099f7d86b578efd03e433d9d57caff8274b2ef1291c687a21c188fcb969cbf9c19731fbf381251c9eb5f47971478ba2917e158b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6c794c48273f93ea71118f0af9d5693 |
| SHA1 | c0aa34f819e8a93b1e6b50d161e385295838ccf9 |
| SHA256 | 6e77f5c00501af308f8efc5897f45d06059e960453def24b16326db29f896718 |
| SHA512 | a3f7cb3d372bdf2ee1bf23269a9862f21aa0393b902bd1822509226a78a69eda4b8e4d8a56441eb6a79cac9d71c8a3be8d6225853b32c8737d5a338efddce60c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4eb3281531921976a063cbdbff4bc5e |
| SHA1 | e11c8af4224cc82a0bcdbdb8e98d8b08a0c88da1 |
| SHA256 | f3d5786c59d39fc4aa0e1c0f22d186008a3a0dede1f17c0602506c2bd986b93a |
| SHA512 | acf45238d6d956b6245453abbca6edfdffb1009cc46fe74986b7c2604ea5490f6d35f15f9d4b9d6e6ce9f23ecd4b728a3f755c5fa95ec611f380ff3102634754 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cc2e574f656ebd8dbe5e10e29e9a611 |
| SHA1 | 3e843fbcb1d923772d58b609f0bb2a821c5322bf |
| SHA256 | cf3632df72450b46724ea724a5a1fcd67352a872ad131a03eaaae8172a3622fb |
| SHA512 | eabac66ffc37cead1f63da2ec6a46d5831ec020b1cc9d739a52700ea8c12c557275568bbead77868afe67454326c71021a1799508c688470b6995ba51675c822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26ff1c0eb8d4f74b1c7e07b3da4e975e |
| SHA1 | ee64739734de765acd2a34717b6476f356e2c6d2 |
| SHA256 | f7ef1ce1660725001f1f549ea9630d3b758799b19ab4eeb81fe4b974df03c065 |
| SHA512 | d6719a4c641a1a06b8c3b9a15d6c07b5f981e4b2744908e40c0e042ba6ed21dfd95a71f186ac27866f5cc16976a96608bc1af5ccaf406a5e91c42e7411479928 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5a003678de43c6de9ae1e76b8c2acd5 |
| SHA1 | ec9d88791eb021befbb9e1f7bb6a835a5df83ebb |
| SHA256 | 07beb4379be294e5a125c49310413e1a53a321849c5ea8db27829db335b34da5 |
| SHA512 | 5df11538d68ab4c4c55c35649c25b95004d07fd48daaebeda8b793d8627babc4dcb4efc73e1b1e528cb05aa975a49029a9a53286da5fa8ce9b3332080480289f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4139ce3b3ae863eb19ff7859b1a9b20d |
| SHA1 | 1bfbb0eced10a78ad3909eda927eeb69bc4cdece |
| SHA256 | 605c69e214751b7a937495ee88bfa5cb1e44941094c20978a56afc28f67e6f19 |
| SHA512 | 0f4df61dcbac7480983a86859c33784776cbf5e7878eda9c5574416c1c784daa92c983f2627a5a72e7554ff7ce695ddf570a00fef4e0e0445a9a162ff0879eda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a76c0f82e9daeb55b351462915171b34 |
| SHA1 | 1355e91731789d7304437d1376e3d9d0383f845f |
| SHA256 | 12012c58526e965f293727256a5841cf7d1c65b3c5045f3aa577b1d425807af2 |
| SHA512 | 00f07d6894c84c50afd202e34d3124196435654df1b71f9f1cdbefb658a09f1256b2287b7d0dec5ea6b94a163039787c6c01858790e81915d014edbd7a852e52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e233eaa5b1357947c26de6b4a12aafbd |
| SHA1 | c0e5e7727447c294e9289bcadc3b0e38b825d2c6 |
| SHA256 | 63340aaeff53390f9972de6983a68516ddd94bbb2ad2ceb4bc74b70da56e6044 |
| SHA512 | 404892a67e47827fab6bd6c32aa2a03756f5010b2254e262aeeea8cf88e3d21623f18b39910956398c7de05c6345ddc18c5f05734c5e1730a59750abcaa1635a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 21f863cbec662bfb59973337ced6f9ac |
| SHA1 | a0624a6e547ea7c79d2ed49a0fbbb14f960a7c51 |
| SHA256 | 739d0c5d67a86162a0a3d01cb775599448e1eba50635330300620ad9876c6ba8 |
| SHA512 | de6124fa3e7ab9eb987c64a3607d01d49bc02302aa27f66d007ab4a36a20f7327cfd35aa825ebee4ee1c67e2b4f6eb02956a1683ea9f1beb05cd87ba912062a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 15:33
Reported
2024-01-25 15:36
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Kinsing
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{01621E72-B161-41B3-8EFA-C8FBD7E25B0C} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff20d946f8,0x7fff20d94708,0x7fff20d94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3464 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4a0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_82148513.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_82148513.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_82148513.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_82148513.cmd" -qedit"
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_82148513.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_82148513.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
C:\Windows\System32\find.exe
find "127.69.2.5"
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 216.58.201.110:80 | youtube.com | tcp |
| GB | 216.58.201.110:80 | youtube.com | tcp |
| GB | 216.58.201.110:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.179.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr1---sn-q4fl6ndl.googlevideo.com | udp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 6.141.194.173.in-addr.arpa | udp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 173.194.141.6:443 | rr1---sn-q4fl6ndl.googlevideo.com | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 142.250.180.10:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 142.250.180.10:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.110:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.136:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 66.133.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| BE | 2.17.107.130:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 130.107.17.2.in-addr.arpa | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.166:443 | th.bing.com | tcp |
| GB | 92.123.128.193:443 | r.bing.com | tcp |
| GB | 92.123.128.193:443 | r.bing.com | tcp |
| GB | 92.123.128.166:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | 166.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.128.123.92.in-addr.arpa | udp |
| SE | 20.190.181.3:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| DE | 5.45.97.157:443 | massgrave.dev | tcp |
| DE | 5.45.97.157:443 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.97.45.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mathjax.rstudio.com | udp |
| GB | 18.244.179.120:443 | mathjax.rstudio.com | tcp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.179.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.9.84.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| DE | 5.45.97.157:443 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3e71d66ce903fcba6050e4b99b624fa7 |
| SHA1 | 139d274762405b422eab698da8cc85f405922de5 |
| SHA256 | 53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3 |
| SHA512 | 17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388 |
\??\pipe\LOCAL\crashpad_3988_RXJHZWMDOBFGWIIE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d383f96ff60e3c1683facd2f27d35cad |
| SHA1 | 40bbec5fccfaa3a1b7a6ff5d2771dee76989326e |
| SHA256 | 705e5eb80001a4b749a0270d3f613edbd1e74efb8f45cf4995af0ccaa1da09a2 |
| SHA512 | a534dbbecc06bef4c9987aa8c67f256cc11230924901cc056bd4fdf5640d94c664adad5e7c34d3b54504a23bc2a8eb93a3d0b8a85dab0266a948af3be122a3bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 3f5fab1492852bc7e82b2fcc8c55702f |
| SHA1 | 747bd0d9777d26ce132949ab175ce2003e45ed48 |
| SHA256 | 4f7b1bd5ac2f4c789aace855349cb5dd80a6ead8a6859cc22bef063533fdc1c5 |
| SHA512 | afe78c0eb87fc40290a870166993175135d1a8e63ddb64cbe89df6bdf921b9f86bd69e7722e7841aa9afaee708e50e4efc37313a39f43e85d362125ca8e436e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | cc4bb88f4f47dcfb0a32e2db8651b6bb |
| SHA1 | 8f41fe77d0075ce13865f4a0201070772b00a5a0 |
| SHA256 | 806be9366c1f6a913e06ef77ff37aa6d3f4022437cae86cdc71f3dbcad020fbf |
| SHA512 | 89f2bf35cf82905db8a6a988ee7bd7b41ed8ee7bc15aadf96fb6603ca453d9ae65d9f05b35cea536d71ad3135eadd62c00e6b4c26ab1defecfeae68b6daa8821 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 60ef7d937cb2285ebee4af47a2f00f26 |
| SHA1 | 181fee7561124a18dbded53bc467eec51b215a5e |
| SHA256 | e10769f31cec55dcfdeb9e7e9c3da47d81f6470507ce7452f7b119941cd108ad |
| SHA512 | ac4d320ec9c89eb33064dc7e2671d6f28842a0203262cc1bc9936102eb0f34411c007e48877aecb64f37fae44d60d0985c3dd2eb7def17891b8f2a3aba8703fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f07ddc993b403888a787ca6406efecb0 |
| SHA1 | c0f6dd6f6206daff727c9c47277e0c9a3daef85f |
| SHA256 | 8913aa9c7f9aa54e591d5596b6feff1c72eaa593af143c74d86bcd80b9a8c3ba |
| SHA512 | 37d114763b9299729ce0b37ffd4b9118c3cd8810c64d35fdf8e69cfba5586c0812458031d9a65fca597b69c624b17171ddf7301d7ed89c0176864bdcc1ce2a5a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 11e11339bc87d4858fddaec161436472 |
| SHA1 | 19b81419b000249f81c234e63d01c495310b7d1f |
| SHA256 | d485821f984fc18ff03204db18f563e54d005ea44e4bcd33addc28e183c50cf3 |
| SHA512 | 4a52111b1eb8b4813188f8d294c5b42d321620800bbaddcb1c23d2fff11cafcfc6f8d93dc94f180ae1e85a5c07be0b39c73a334ba68cf8f8c061349416549b41 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 1b1b142e24215f033793d1311e24f6e6 |
| SHA1 | 74e23cffbf03f3f0c430e6f4481e740c55a48587 |
| SHA256 | 3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1 |
| SHA512 | a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a316.TMP
| MD5 | 50139402fdb18640b1ab4ea284d283ae |
| SHA1 | 9b5fd052e1be45b9215f4bd8bc79d47ff283f4f7 |
| SHA256 | 4bc3dd4004033ea8c43308a34f88b3a7c4703641cb6525f6789b72b97ddd7281 |
| SHA512 | 16e0b3680906b3256846db1cd950e092c1d73b49aaac404ae2edcce4e3dd8bbc50d3fe2d4b43b5f843e7601cc0cfe9762b3bcfcf1f422491bd25aa772e67a5a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 2aa17a87910d2388f0b170da7b097608 |
| SHA1 | 7f4cf4dbd35ea7c2c1d032448eda0d536e3e82ea |
| SHA256 | 898c6e435f61d7c50ef4902558c72533b65b03beb0d8957e0bd98736942ee64f |
| SHA512 | e441934911ec3d26fca6b74c43ceedb6c05c45648710425a753d8903f350341bf31b4591f679ab08d6eb3c0bd49e72c2c7af4f5ea31321f705b5882c71a717c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\958a9ec1-89f2-4ed2-bc3a-728a3f915673\index-dir\the-real-index~RFe57a7aa.TMP
| MD5 | afb7d5532358a1e3d8746b2f1ed59950 |
| SHA1 | c5368f4a47b434d769ab7d96203c24f801bc46ae |
| SHA256 | 1c8306d39140b4fe4fbe0f851300f8a4d3afb4f6fcbb252079ca135126123bb3 |
| SHA512 | 285dbd4ccb610fe83fe4592f341a770e56442c65fb6005a6d77f2cabac4e1805d1f9846e5a253dc1b4d1d3c281c3bd17104d6389dbbca9f3d934c7a3d7131c16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\958a9ec1-89f2-4ed2-bc3a-728a3f915673\index-dir\the-real-index
| MD5 | 8cbc3c06f411167dc6cbe36259cbb758 |
| SHA1 | 54868b1aba9fb3c72393f2e0f29cbc18c92a2998 |
| SHA256 | a95b1e37d43c7550bb9a364df3d55ecfb00ef67315cee025ca5b553d8fad5088 |
| SHA512 | 0c6b3ae74bb05aaa164b9faa32bf198f681595701cc006ccff527f77d939c6518663c9e083a8c0934a377652ad86bd1b98325a4ce7bd330c3e2c0a30354b182f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 910088e3723e97cbe588efab5107085e |
| SHA1 | d2a295e8e6f6b793e6a93b5c01439dc440d6088a |
| SHA256 | e347040a0385cb3b80b434e1871a7275da8aa77866258a23f1d045cfe237bf4c |
| SHA512 | d1cf50c3b5a26c2851f7e93c57111d88ec9cbee2271c8cee487ab2921f08030a2a147e126b68906250d482ad17cc0c6e3a840bb064f16c1ebee17687fc012201 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | df791c840c557bed0600326a6036b8ba |
| SHA1 | 218c886a3210f0673f9439ed27968a0783b7acdd |
| SHA256 | 26d50105b3b5136bef1f33e9ac05dc4902f25f178afa57d853542c60bfdca3ef |
| SHA512 | d8bdbd03c88c4fabbf429fe20810fa0924a4d63ebedef6487bdb4398c790597b644067f744644742abec458137a9ae23901063653a52a82b6e6bab78bc5593f3 |
memory/5360-306-0x000001637F300000-0x000001637F322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzhsu23e.0tb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5360-307-0x00007FFF0DB00000-0x00007FFF0E5C1000-memory.dmp
memory/5360-308-0x000001637F2C0000-0x000001637F2D0000-memory.dmp
memory/5360-309-0x000001637F6C0000-0x000001637F704000-memory.dmp
memory/5360-310-0x000001637F790000-0x000001637F806000-memory.dmp
memory/5360-321-0x00007FFF0DB00000-0x00007FFF0E5C1000-memory.dmp
memory/5360-322-0x000001637F2C0000-0x000001637F2D0000-memory.dmp
memory/5360-327-0x000001637F2C0000-0x000001637F2D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2c3f88e67b85de132e62eca7e73a26c7 |
| SHA1 | 70efaf9bbb989ada4f7b66175e312212973ebcc5 |
| SHA256 | 4b35ad34cfd09291bb67e3c194810a0e9d658d4b475c9995ea846c5f32afb73e |
| SHA512 | 0e602733e651e84dbc8e8201f4802a3e0666382623b5752f6ce859b30b08807cbbfb7948da5c36ef32f0cc47ee1791005e6e159f8262b953815ff77fdbfba974 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5cac17dc83e50485e9fde412014ffcc7 |
| SHA1 | 4e1478429177440c79a94dd22f065645d472a833 |
| SHA256 | 62ee2daed506d59154fd1276dc683d2728fe1498c2900a6f7b22a0cd6165660d |
| SHA512 | da6b0a41d0c307c9eeb85cf9dae172c8818935f3b926fbfb9c0d4eef4134566093242e6fc4e56822b473f3977ce4f02efa5584ae094489c39d59066f98e6de38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 030ac5a3fe5914d5594e576d6f26e125 |
| SHA1 | 1d146a425cc1ed6a2a584fca18c669a984b05b0e |
| SHA256 | d16b38279e36e42c7868e3ec8bf986e2a3a389b482da601ab57174f349608c41 |
| SHA512 | 8ad3e3d1b665445a8f43aa9876ca0e47d7d3ed9f18c89ee1d994c4a7abc79d59a8afd76b9ac935f53d3a896a76eb1e109e2a735e09f9e243764e94ac99cf85ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c38aaf738054c61510e3642af8bccdf6 |
| SHA1 | 4fce10a1f514068501665112e2c19a339ec719a5 |
| SHA256 | 84731edca93e8c114362d7e64141ea156b8a8e850e0c57b7c6f1bc4578bac2ea |
| SHA512 | 22f966e305d232eef24cfca14145b38c560a3cf7f4f524cfa7a731e5aab4e9b961b1e867992a962b22d8229404347586b186e590c425794a2ddc62961a4fff44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596fe7.TMP
| MD5 | 630dd4e2f36cc904ca339a071f575f5b |
| SHA1 | 47cfc384a766bd5a0d07d96d1e1697450fb4ebf8 |
| SHA256 | 6864fecd6e002946090f1842e79585ab973441b5bd8ddb133431680968c15b76 |
| SHA512 | 86f6d1201124e43ada39ed33df066681b37949136ca293c4d2d4304703708e155b6a0513f1adbd10b2d4e7d15e5c6053718b8b65c8bb49b3b53d8cd28634e6ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c16ff03528d799cf3426fd8606559102 |
| SHA1 | 9c3996cb5a9c9c258ae956cf8f649584d05dd78e |
| SHA256 | 724851e603ebb0c2dd780b64c29b241d0ee5d6bc5c77c41476da059b569a71fe |
| SHA512 | 20c3ff21eb100677359489acd224730ee37017a6ef7dee275222264179c61c66cac3e0c4771c4b830cdfc9c267bc5360239314911615b851214d60d15fe10115 |
memory/5360-588-0x000001637F9E0000-0x000001637FBA2000-memory.dmp
memory/5360-589-0x000001637F2C0000-0x000001637F2D0000-memory.dmp
C:\Windows\Temp\MAS_82148513.cmd
| MD5 | 0e6ce6cf11922b9c4f6e7f0cf315d0c6 |
| SHA1 | 71d7329bab1994b4eb86a25ccef49bfafa93575d |
| SHA256 | 71ba68a8501bf4786f71e6f36dc8a38f3d8aa4852d1491faebda280769216988 |
| SHA512 | f05881202b4bf13ab1096909a71edcbd0ddbb6fc417d26be1eb102c2f08b28568209ddb05918c7cf98ec65808a504bc670d3c4cd1a7986c0c1c6c12d05089bc8 |