hxxp://pixeldrain[.]com/u/QEeXR3cT

Resubmissions

25-05-2024 07:32

240525-jcy6vsaf43 10

25-05-2024 07:22

240525-h7ev2aad3w 10

25-05-2024 07:15

240525-h3nx5sac5y 8

25-05-2024 07:05

240525-hwh4baab2t 7

Analysis

max time kernel
189s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pixeldrain.com/u/QEeXR3cT

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

YouAreAnIdiot.exeTrololo.exe

pid process

2596 YouAreAnIdiot.exe
6044 Trololo.exe
Loads dropped DLL 2 IoCs

Processes:

YouAreAnIdiot.exe

pid process

2596 YouAreAnIdiot.exe
2596 YouAreAnIdiot.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6048 2596 WerFault.exe YouAreAnIdiot.exe

pid	process
2596	YouAreAnIdiot.exe
6044	Trololo.exe

pid	process
2596	YouAreAnIdiot.exe
2596	YouAreAnIdiot.exe

pid	pid_target	process	target process
6048	2596	WerFault.exe	YouAreAnIdiot.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5712 taskkill.exe
1996 taskkill.exe

pid	process
5712	taskkill.exe
1996	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3688	msedge.exe
3688	msedge.exe
3376	msedge.exe
3376	msedge.exe
3648	identity_helper.exe
3648	identity_helper.exe
5256	msedge.exe
5256	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe
3376 msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zFM.exetaskkill.exetaskkill.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	6000	7zFM.exe
Token: 35	6000	7zFM.exe
Token: SeSecurityPrivilege	6000	7zFM.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: 33	4388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4388	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
6000	7zFM.exe
6000	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

5352 OpenWith.exe
5352 OpenWith.exe
5352 OpenWith.exe

pid	process
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3376 wrote to memory of 3664	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3664	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 2636	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3688	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3688	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe
PID 3376 wrote to memory of 3392	3376	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pixeldrain.com/u/QEeXR3cT
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b8946f8,0x7ffc8b894708,0x7ffc8b894718
2⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
2⤵
PID:696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5896

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\пездець1488.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6000

C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1556
2⤵
- Program crash
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 2596
1⤵
PID:6016

C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exe
"C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exe"
1⤵
- Executes dropped EXE
PID:6044

C:\Windows\SYSTEM32\taskkill.exe
taskkill.exe /f /im explorer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\SYSTEM32\taskkill.exe
taskkill.exe /f /im taskmgr.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
c57b06e50114e54b44797ddca40afc5d

SHA1
43721693ead6b3304a5791a5e8389813659fc603

SHA256
8d1bee0a5c1ecbbea13d8e8b92ab5802efda89334f76dbfc5bed7cd3cc724a44

SHA512
39272b9fda490a1c838635ec8d83a111be034b4aa90cd5f56575620166f32f5cc8f155a42fbd3beff15b8cb59b606059c7208032c9cae1d4b05b4ab48e531a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
182B

MD5
9eb9d67f919ae153884991ffc5223fdb

SHA1
8ebbb1a763b529cc9bf2839b13f0564f10d10046

SHA256
08e4c57ce93d9bce050befa4e516d8aca239010d22692f90ea30a39ba91a1d40

SHA512
9aad23e77ff458c7b49381fec4e0c650172314e46cdae969744d948f67eabb8ee25e2d04f6d81d43bc97f2d704fabc43b4b63ece97a14f09fde78c59132a003b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
eacf7a4f078e6c92e7b6cc33e2762791

SHA1
e0c4a4a3e6655a92e183917938cd00027ec732de

SHA256
d27e7c6d430f582f487c3a8d5090816b411c865af0d63231db4cccac9c19a890

SHA512
8cca4043639bd57bd0dd61564629075c4e8d92c4453add1a5ea533a00d6330b9382ed9f4c2b0dc295651323a6ed6b16c28009a653e651f426e3c171e36794c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
089765a853a1e74fa06019170cf87bf0

SHA1
d2d2ce0a54f904d7e6d88365eca778e7cfbfd92c

SHA256
db0d93c839f52c9a69f50312bbc8a44d3a264d20caa3fa585b627f524cdf0682

SHA512
ba972e25ba32ca17ab3e394f1ecd6313d17c326e9c3526c207a615e11f32fa39f6946e7df839f2099ffab5872fc19440eac27d3f26a1aa1ab009af9044884a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7ca4926fabbf070f30f2893a680ef2d4

SHA1
43604ab2531272951c7f1c5ba78a9a4ca585dd04

SHA256
e1cf98db0006d5f04546df6cbdd30b326f91cedc89cee57f06ff05b82ac66c29

SHA512
eb2314f6e88e03129cb96c57f190a18fd7c7647e141fd032f77b1fd7c198b4fe87e3ea832facc2a66cf9c6031f42547cbe3101e8d6d4c5a6940ed3a345d42add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ecae2f523db32b26f7e2758f280cc824

SHA1
fe079d98196b00887d32fdb80be4eea443e7e4d6

SHA256
b9fe4e85f89237620f7a776347db030c33da7ddc0890f63e36c8fef595a4767f

SHA512
5f329a166c97591754f8b79a12a5bc20c7650085298433e9b6b92c4e4772de4aa9309596fd2a846c9d4bb8bc3c48beca59af85ccfb629503526ef9248a6dbcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
7f9b05368d1b0b91de53dfc74be00358

SHA1
b8ce844ffb9aeb82229e2cc6caf5b9d25f898c5d

SHA256
784c7e05435a25ff151983d200712f1374753afdc706b1dc7c03c664a09af708

SHA512
16c36d56ec32477a7dcfa2add9423dc55b7079b3572aafd231d166467f158cfbfdfe3ef4acf1a5426d725df33920db6d5eb9ad3d62d4cc7e0d12793983b6d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578359.TMP
Filesize
204B

MD5
0711950d36c7ace342c38c8b866694de

SHA1
ce66bea7aebb069316b41f762d4ca26e882cb5d3

SHA256
12fc78d023f9b3bb3162225e51daa210c646ad1497a7da0931ed46f2b11d7a1f

SHA512
4cb38476f933e9286b890e0e54a6fbb2861595da0758c2bab167505ba4d62711411cb3e74c29b2760e8d43eae43cd247b4d9d8b6f9811ce468a2fa35fef61e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
357645e5190a65fa8bafb4501d962e6a

SHA1
49c5593a08a8b65272cb4e0bc3d6884e7f226ba2

SHA256
ba26a5bd33493790318a5d0b693dfa98f17667554e6d67fa82a0c7549b6399e6

SHA512
ad3f8cf28e3ed60c6d03c4319cce9099dcf3d8cb35d90d70fe505191b02151b3476e1167d0cb588217612989015976223af33367df85afb81689af33279760ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cfe61c66a048a556cab96f3b2deb4669

SHA1
d91ec7e813ce5d69e9ba20db831f55474717f826

SHA256
82b06902e37dcf7a576e73bd3fb5ec47c02c5b59b143bc9dd04644260b2e24bc

SHA512
e09cc4c820766760c21c1db92cf2d8d922d53f87d88c77cc2fe01803d22d350fc86cfbf892b54bcadc87782f13443d56d326b7dac4019daaadec21216a365e1d

Download Submit
C:\Users\Admin\Desktop\пездець1488\Трояны\AxInterop.ShockwaveFlashObjects.dll
Filesize
17KB

MD5
451112d955af4fe3c0d00f303d811d20

SHA1
1619c35078ba891091de6444099a69ef364e0c10

SHA256
0d57a706d4e10cca3aed49b341a651f29046f5ef1328878d616be93c3b4cbce9

SHA512
35357d2c4b8229ef9927fa37d85e22f3ae26606f577c4c4655b2126f0ecea4c69dae03043927207ca426cc3cd54fc3e72124369418932e04733a368c9316cf87

Download Submit
C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exe
Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exe
Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
\??\pipe\LOCAL\crashpad_3376_CMLQCZBMGHDTZHQZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2596-329-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/2596-330-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2596-331-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2596-332-0x0000000005200000-0x0000000005256000-memory.dmp

Filesize
344KB

Download
memory/2596-328-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/2596-336-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/2596-327-0x00000000006D0000-0x0000000000742000-memory.dmp

Filesize
456KB

Download
memory/6044-339-0x000000001C040000-0x000000001C0E6000-memory.dmp

Filesize
664KB

Download
memory/6044-340-0x000000001C5C0000-0x000000001CA8E000-memory.dmp

Filesize
4.8MB

Download
memory/6044-341-0x000000001CB30000-0x000000001CBCC000-memory.dmp

Filesize
624KB

Download
memory/6044-342-0x00000000018A0000-0x00000000018A8000-memory.dmp

Filesize
32KB

Download
memory/6044-343-0x000000001CDB0000-0x000000001CDFC000-memory.dmp

Filesize
304KB

Download