Analysis Overview
SHA256
bec9f2a7ec3d4df0984c88fb0d00c78fc014d3a2838004b8f94a693e45597481
Threat Level: Known bad
The file b3e8fb49ecae196e126b32f1557796a7 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Checks computer location settings
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 05:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 05:32
Reported
2024-03-05 05:35
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBRAN~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENCRYP~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b3e8fb49ecae196e126b32f1557796a7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENCRYP~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\crypted.exe\" .." | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\crypted.exe\" .." | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b3e8fb49ecae196e126b32f1557796a7.exe
"C:\Users\Admin\AppData\Local\Temp\b3e8fb49ecae196e126b32f1557796a7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBRAN~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBRAN~1.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/juvlarN
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99d4146f8,0x7ff99d414708,0x7ff99d414718
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENCRYP~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENCRYP~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548 0x544
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,5142952890433790632,17137465342882537245,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2420 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | 193.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 104.244.42.194:443 | api.twitter.com | tcp |
| US | 104.244.42.69:443 | t.co | tcp |
| PL | 93.184.220.70:443 | pbs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| GB | 151.101.60.158:443 | video.twimg.com | tcp |
| US | 8.8.8.8:53 | 66.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.60.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 74.125.193.84:443 | accounts.google.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | 84.193.125.74.in-addr.arpa | udp |
| IE | 74.125.193.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | appleid.cdn-apple.com | udp |
| GB | 2.19.148.40:443 | appleid.cdn-apple.com | tcp |
| GB | 2.19.148.40:443 | appleid.cdn-apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 40.148.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | abs-0.twimg.com | udp |
| US | 104.244.43.131:443 | abs-0.twimg.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.43.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| US | 8.8.8.8:53 | rodrigoramos2003.ddns.net | udp |
| GB | 96.17.178.174:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBRAN~1.EXE
| MD5 | 6c5337eb800ec72e48faba9e20d1035e |
| SHA1 | 7089f8c22a4800e62137cd6b5dc7edd246c9816a |
| SHA256 | 0e3506f8182a1246f1e01d67afed17748851803a6708fcf7bdf933d5a7cd03da |
| SHA512 | 5756aa981d7deab724b23f1a2bba28c9d1f9b320896d4cd774aeecf57911a75eec393bf012e25a2c1d199a5497d8e2cff8dad7281cc1f9996fd10d1b0602229c |
memory/4144-7-0x0000000000DB0000-0x0000000000E78000-memory.dmp
memory/4144-8-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4144-9-0x0000000005EB0000-0x0000000006454000-memory.dmp
memory/4144-10-0x0000000005900000-0x0000000005992000-memory.dmp
memory/4144-12-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/4144-14-0x0000000074F80000-0x0000000075730000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1eb86108cb8f5a956fdf48efbd5d06fe |
| SHA1 | 7b2b299f753798e4891df2d9cbf30f94b39ef924 |
| SHA256 | 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40 |
| SHA512 | e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENCRYP~1.EXE
| MD5 | 50afaae93ac6e46d51ec4b0a3895002d |
| SHA1 | d07bc731d8a98368de02e2480a59fb1269236f43 |
| SHA256 | 7a914722e956230a4b058392551f59ee11a033228a900f5821a3c516b2b5f5d8 |
| SHA512 | ba3ecf042ea33249a2dffe8346945233208a89183e095433befb25ceac21e545be886846f5674855d819841a187c08988d78092e11b668e22acc57b36976027e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
\??\pipe\LOCAL\crashpad_1744_BHRVIYHLHDKKEFJW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f35bb0615bb9816f562b83304e456294 |
| SHA1 | 1049e2bd3e1bbb4cea572467d7c4a96648659cb4 |
| SHA256 | 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71 |
| SHA512 | db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.cdd
| MD5 | 3e7ecaeb51c2812d13b07ec852d74aaf |
| SHA1 | e9bdab93596ffb0f7f8c65243c579180939acb26 |
| SHA256 | e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96 |
| SHA512 | 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f14e9afbe76ae6845513cc64bdd3674b |
| SHA1 | ce2335d58d4d83f491d2a22fb58ffe9ca1799b77 |
| SHA256 | f404d0355c0581024507abb273a7f13234e8b596f111b81e8324e49c3391ce86 |
| SHA512 | 00a581fe5055ec9e916c831c4a13ce6ef47be899810b881fbb33323c47969ec86ff114a92af6d7c4135a26c633207033c41582022b50346c6bad0db3870a09f3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\630_10.png
| MD5 | 340b294efc691d1b20c64175d565ebc7 |
| SHA1 | 81cb9649bd1c9a62ae79e781818fc24d15c29ce7 |
| SHA256 | 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9 |
| SHA512 | 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fs.settings
| MD5 | 68934a3e9455fa72420237eb05902327 |
| SHA1 | 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04 |
| SHA256 | fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa |
| SHA512 | 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c.dat
| MD5 | a1a1fed3426eb8c7c304574643495146 |
| SHA1 | e11a1ff64036927cfcaf2aab8136d42d0946feb3 |
| SHA256 | be525752042ef46d7cd1994cc0215a8cbb4b36d328e1389f582a0c8c5001d82b |
| SHA512 | 0d4e53879438a4dbec25fd635df7bc46289547b56bafed339f5140ffa38802ee307ad5e20d962349a79d8be1518c7f1de94cc085eae42c098d2f9fabca186e9f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
| MD5 | 09ec4264c357115b14b7b557fbeb9e6d |
| SHA1 | 6029dbb59e1c235fbc8b5ab35b072aa9b41985bd |
| SHA256 | 9b3864702f4d47c13f315dfa5d2c7393eab9e2b7d56633e26a6196cbbf65b1ad |
| SHA512 | 6c75ae07701b5af640dbf15ea2b247dbc59d28bbe976142808eacc6264fef07f0b388bd9a0e91f169f913f6d33f163a07dab828d90e7c8b3b531c2be2987a7a2 |
memory/3748-81-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/3748-82-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/3748-83-0x00000000007F0000-0x0000000000800000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1467f54355e24476d3283ffd7dd48d0a |
| SHA1 | 3a24b6dac85b2eab2d5b5356e336f60066e9f260 |
| SHA256 | 4a3e9959c87693e7d3e198171f672725cbebc3df330fe569538b3cbd15cd7082 |
| SHA512 | 7d7bb7f76be65f6af38894be1149fab27a99788f9b8d6295570add06118e6926a47fbbf6a8c6e6b42af0c8c427ae3b68022ea03b3b57f19f91568525beb25fa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fd52f24597e8169491451dfac92e203c |
| SHA1 | 5683c71a5de3fefaa4c4714864136da04bc74cc0 |
| SHA256 | 388e7fd9ee6586836968aeee7d684214e776b8cc2110c06c552688b79607c2fb |
| SHA512 | 6b5801f6762a522fad1e511d4fa2f636f0a2a8afc0bc1646f1c6346ace8afdc1c291a3ebec2061c51962efbb11685d2c453e860a47df8e7d0efe088f0c196089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
| MD5 | 1c237450dc5c7d595a5fb41ef5420866 |
| SHA1 | 5308c8fa31cdf1d0eb0ddd071ee73e2e2c98ed83 |
| SHA256 | 68d3c0f7e8d7c3f8ac6fdbe883f6b9dd1b00387e541d312a0ddcfecc60d2490c |
| SHA512 | df60668c1a77b7042e90f9e8b351463f4775dac3dc8875ac43c72a024689a7726b7e4ad4477c82a0a909e939e494fdd34f8688e7dc365480ad576d43a1beb1f3 |
memory/5352-311-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/5352-312-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
memory/5352-314-0x0000000072850000-0x0000000072E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bc2570c186604a51f2d43ab91dcedc19 |
| SHA1 | 7fae9ba2f0173ff57f1fcadf6381d3ad94ab0c1c |
| SHA256 | 93b25897c3908327269fb0380f1d6820471aa06a7668d9286bc88fc8630ab444 |
| SHA512 | 8d477e257eb9776bf779f2d881cf01351a2f11a030abd82f44c408e44843cb33d259eefa87700d66bda6a5cbecab75dcc44808ac1774add0636778d6453bdf6d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a160.TMP
| MD5 | 768add9acd608780e11830f10f411d7a |
| SHA1 | 3477dca57447f412deb27853d9d8305f4efd000d |
| SHA256 | d017f151a6df0ed60549f4fdc1119ef49e96e09e982321a223ff969c9460f454 |
| SHA512 | 8667a78d19384eb788e5575b6bbd93ba02299d913b64d02de5ab8639d1079554d0492e3ceed29ce533a455d47d71f487c77a207dc2f0fc2faca64ff84ee80910 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 97e7c5b80620799eaa3555b43826bbaa |
| SHA1 | 6c5cafd1e4f18801a52a7db05003f7390ee40872 |
| SHA256 | cb2a6b926088b0eb2b3a5f038a0449162206e6995bfcc0264f17baf1a06aa8cb |
| SHA512 | c708037adf7112125d5a8d5d413ffdbb189e9a0afde65d92a200df3551ac5a4956956eeca9fd7559baaf4c18bdbc764cf81d09f7d79208d23ff22171f8dbf819 |
memory/3748-355-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/3748-356-0x0000000072850000-0x0000000072E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f4cc51c9318184b8a7445a0e65b6c960 |
| SHA1 | e7a244fc65f143b5b09a526b93ff74a264a93389 |
| SHA256 | a9362a6779d938b06678b9b97af2b932d8fa980f543501b8ee1508581ed80e13 |
| SHA512 | b4c76e59c83bad745295c0fe23fc7f4f13e118edf9214f63755d2484d547a823b644663f78cf59b9e97f877a8ba4c59422ff1d8f21522e1f32ed91690a485add |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 77c1c11d80265e56edd33c65fe3107f8 |
| SHA1 | fa61dbdefe4f5604916ade4d3eee0bd2e44c188c |
| SHA256 | 5dbe588f06fef86490c03a33cecd32cf30772e32a8ee65c6be32e1d11742e9fe |
| SHA512 | f0310898277ff3266debe8f4bfa1f10fce1e6d300c432d20d0f52908e2813646ab68a09d5795bdadfa1f5f54b23f79c958787a816d318640d5e86a11e27cac21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f8b9fd697290cd4fe7df8f62069d00f8 |
| SHA1 | a12eeb31bbd87dd70a2c886c74bab837c04700f4 |
| SHA256 | 44072a9a1bb742ebc5babd5bc3fb3c4b19721d9fd43e16f65cb4c8a01e7af93f |
| SHA512 | 5fc3984e9c1652a5a299a271de3d931ddc267c06929837d6e8ea79f5298eade7fcc172c31b50d35ff2b2882f239e5db155bc0c4e86ac8d006e021326014f5df6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
| MD5 | 42157868488d3ef98c00e3fa12f064be |
| SHA1 | aad391be9ac3f6ce1ced49583690486a5f4186fb |
| SHA256 | b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c |
| SHA512 | 8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471 |
memory/5852-418-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/5852-419-0x0000000001790000-0x00000000017A0000-memory.dmp
memory/5852-420-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/5236-424-0x0000000072850000-0x0000000072E01000-memory.dmp
memory/5236-425-0x00000000017C0000-0x00000000017D0000-memory.dmp
memory/5236-426-0x0000000072850000-0x0000000072E01000-memory.dmp