Analysis Overview
Threat Level: Known bad
The file https://store4.gofile.io/download/web/c87079d5-d31d-400c-ba3d-c189a188638c/PisiValorant.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Sets service image path in registry
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Program crash
Enumerates physical storage devices
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 18:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 18:39
Reported
2024-05-31 18:40
Platform
win10v2004-20240426-en
Max time kernel
44s
Max time network
43s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5800 created 2648 | N/A | C:\Windows\SysWOW64\notepad.exe | C:\Windows\system32\sihost.exe |
| PID 6084 created 2648 | N/A | C:\Windows\SysWOW64\notepad.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OweWxXqVpgrSyEEGYJFn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OweWxXqVpgrSyEEGYJFn" | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AXUHbewoqOkiDgAkShU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\AXUHbewoqOkiDgAkShU" | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\temp89103.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Temp423810.bat | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\temp89103.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Temp423810.bat | C:\Windows\SysWOW64\notepad.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\Download\vac.sys | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\drvloader.exe | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\vac.sys | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\drvloader.exe | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 738680.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
| N/A | N/A | C:\Windows\SoftwareDistribution\Download\drvloader.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\PisiValorant.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store4.gofile.io/download/web/c87079d5-d31d-400c-ba3d-c189a188638c/PisiValorant.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc8bf46f8,0x7fffc8bf4708,0x7fffc8bf4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,11377879719322339323,6876777503961921951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
C:\Users\Admin\Downloads\PisiValorant.exe
"C:\Users\Admin\Downloads\PisiValorant.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\SoftwareDistribution\Download\drvloader.exe
"C:\Windows\SoftwareDistribution\Download\drvloader.exe" C:\Windows\SoftwareDistribution\Download\vac.sys
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color e
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp321340.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command " $action = New-ScheduledTaskAction -Execute 'C:\Windows\SysWOW64\temp89103.vbs'; $trigger = New-ScheduledTaskTrigger -AtLogOn; $principal = New-ScheduledTaskPrincipal -UserId 'Admin' -LogonType Interactive -RunLevel Highest; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; $task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings; Register-ScheduledTask -TaskName 'PrintCleanUpper' -InputObject $task -Force;"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5800 -ip 5800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5800 -ip 5800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 904
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c
C:\Users\Admin\Downloads\PisiValorant.exe
"C:\Users\Admin\Downloads\PisiValorant.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\SoftwareDistribution\Download\drvloader.exe
"C:\Windows\SoftwareDistribution\Download\drvloader.exe" C:\Windows\SoftwareDistribution\Download\vac.sys
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color e
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp321340.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command " $action = New-ScheduledTaskAction -Execute 'C:\Windows\SysWOW64\temp89103.vbs'; $trigger = New-ScheduledTaskTrigger -AtLogOn; $principal = New-ScheduledTaskPrincipal -UserId 'Admin' -LogonType Interactive -RunLevel Highest; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; $task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings; Register-ScheduledTask -TaskName 'PrintCleanUpper' -InputObject $task -Force;"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6084 -ip 6084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6084 -ip 6084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | ad.a-ads.com | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| DE | 188.40.69.138:443 | ad.a-ads.com | tcp |
| US | 8.8.8.8:53 | 138.69.40.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 147.78.103.70:80 | 147.78.103.70 | tcp |
| US | 8.8.8.8:53 | 70.103.78.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z-kasino.com | udp |
| NL | 147.78.103.70:80 | z-kasino.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 147.78.103.70:80 | z-kasino.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| NL | 147.78.103.70:80 | z-kasino.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_2060_QRMGKOICADSWBGBX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4f7152bc5a1a715ef481e37d1c791959 |
| SHA1 | c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7 |
| SHA256 | 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc |
| SHA512 | 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0ad2b9d3c953d575a8c7da767266fdc1 |
| SHA1 | aa72069c36afd5403d728bc2a05a7e64b2682c27 |
| SHA256 | 64aa0a0fa69bf99bb8a0a22c0f9c60a2143ff33f81d2bcee951bf713f8cb055d |
| SHA512 | fc6fac65a584a1dc046d33592f1f2f43d58874e15e01465bdd90cd3e1cdad1aa8a56755c022faf25663ecc53bacf400d2d9e531982717b97a5382a44f618bf58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 738680.crdownload
| MD5 | 35872c580af25caa3c3c33cc310415c3 |
| SHA1 | cc5f09820581d06f66af0c080093ef80068421e7 |
| SHA256 | c3f0be28bca238d8351dd5de0e57927b9f883559caf4dc9853f8214449e1e652 |
| SHA512 | 177e460fdb70dfb1ccb8bd6915abf7d3e08bcb4be5499b180700d06819ffc1ba35d6cbf4cbe40b8965f173a6f94ee77f4e8e45395e1c07bf8c83c8bb053140d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 67f92be75c230f93fbfd09af076bce19 |
| SHA1 | b94c81ecfaabe625ad8e9283da2543f3000524c3 |
| SHA256 | 7b47beef705c9ec77646a7f14d598d144325c193f3271c235721750905311cd9 |
| SHA512 | 78b75ad1bde6c082a9d79ec3eba518e4d64befe50913146aa53234002bb518604109a00fe6e469bf4c39377c7c8e63624f8dee7cc17a0fc98d5b5b7ab849b9be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 869bd1ad9c6ae0fe52798472d5de5895 |
| SHA1 | a3198147621cd5ebe88e7d6aa59b40451609ca4f |
| SHA256 | 0a7b2d462d9f4f5da32c7dbc994ec898fbc4da23ab2ec845e150e2346ca0583f |
| SHA512 | a8374f7bd253975652046c15e350440e0637c027931e2132e61d237b7fdb96553f82d3e80241ea55dfa9600efaa38ce79e7bf0774ec01d6daaf4ba2ed512ba74 |
C:\Windows\SoftwareDistribution\Download\drvloader.exe
| MD5 | 34cfbe3ff70461820ccc31a1afeec0b3 |
| SHA1 | 5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9 |
| SHA256 | 6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df |
| SHA512 | 1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e |
memory/5624-118-0x0000000002790000-0x000000000279D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2c2b27404a2c6de068c0ffa178dda084 |
| SHA1 | eff3014ba80d5af9aca6284900d28c8e2e3ad96c |
| SHA256 | c87dc8aae46081606383a6c599f70ec66170c8ad2ea30c850092b67ddbe52f68 |
| SHA512 | eebb9c566dbfb3877a1fedf98fdd1b7cadb3b1eff8a8c484feabbec9445e301dd88618657dd5a767c6a9b2bc9277bdd2afc0296e6d7f53c7d78308798aaeec12 |
memory/5800-126-0x0000000003BE0000-0x0000000003C4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp321340.bat
| MD5 | b44256f47d786b6add91128beb31d766 |
| SHA1 | 5ca8e5bc6d0a82fdff3ff8e8c74dc8112fd13fd3 |
| SHA256 | ad97cc4569146bf5216cdb35b528f4519a1376e3c81e155064543faf2805ebd7 |
| SHA512 | e80abf537923d6025b986f27b756d6b6429cf00a7cdc5bf8096eeb468dafa84f4e34c6bf2ac88f96259745b76832fc15d59c1cdf7c0393558adeeefac94dfd05 |
memory/5984-131-0x00000000053D0000-0x0000000005406000-memory.dmp
memory/5984-132-0x0000000005B90000-0x00000000061B8000-memory.dmp
memory/5984-134-0x00000000062C0000-0x0000000006326000-memory.dmp
memory/5984-135-0x0000000006330000-0x0000000006396000-memory.dmp
memory/5984-133-0x0000000005AC0000-0x0000000005AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rsk51ak.dph.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5984-145-0x0000000006580000-0x00000000068D4000-memory.dmp
memory/5984-146-0x0000000006980000-0x000000000699E000-memory.dmp
memory/5984-147-0x00000000069D0000-0x0000000006A1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3a6d3758226c11b33bbc6e478d4df3b5 |
| SHA1 | 4472f44d465f0dabaa4b973b9473865b54d20453 |
| SHA256 | c3429097bf691c4fccf31ed82dcb895c35bf4aa14738a34795fe6f0090c1ba00 |
| SHA512 | 05fa2c85f9f6a324f66ec2bf317ee92413a6de9016ccdebe4626cf3783789365b21a6978edd5bf9d79431df7a97d51431d036357653b88bd8713f1323b14d73f |
memory/5984-167-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/5984-166-0x0000000006F60000-0x0000000006F92000-memory.dmp
memory/5984-177-0x0000000007B50000-0x0000000007B6E000-memory.dmp
memory/5984-178-0x0000000007B80000-0x0000000007C23000-memory.dmp
memory/5984-180-0x0000000007CD0000-0x0000000007CEA000-memory.dmp
memory/5984-179-0x0000000008320000-0x000000000899A000-memory.dmp
memory/5800-181-0x0000000004E10000-0x0000000005210000-memory.dmp
memory/5800-182-0x0000000004E10000-0x0000000005210000-memory.dmp
memory/5984-183-0x0000000007D30000-0x0000000007D3A000-memory.dmp
memory/5268-187-0x0000000000540000-0x0000000000549000-memory.dmp
memory/5984-190-0x0000000007F40000-0x0000000007FD6000-memory.dmp
memory/5268-189-0x0000000002390000-0x0000000002790000-memory.dmp
memory/5268-193-0x0000000075950000-0x0000000075B65000-memory.dmp
memory/5268-191-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp
memory/5800-186-0x0000000075950000-0x0000000075B65000-memory.dmp
memory/5800-184-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp
memory/5984-194-0x0000000007ED0000-0x0000000007EE1000-memory.dmp
memory/5624-197-0x0000000002790000-0x000000000279D000-memory.dmp
C:\Windows\SysWOW64\temp89103.vbs
| MD5 | 4812418c22bdb2fb58cd3e5aa49f6a4e |
| SHA1 | 2706ad5664a4956a3844ca9e157e9cf5e31fff38 |
| SHA256 | 931c19670188537e10346ce676b253fb664d5e4c49bf1c088f468fa26e87828d |
| SHA512 | 048ce8d7cc71f282a7d8d73d6ca1b30c5bf6966752ab482c640bd492d37087ae0113c919877d712f3305ff0814061aa7fe3c8131f80ea6a8263fe406b8e0ebeb |
C:\Windows\SysWOW64\Temp423810.bat
| MD5 | a078319a6c1f56aef082c7567afe23ad |
| SHA1 | 9c1acd4c8ca8b66bf90704b0faaff90c0250d2d3 |
| SHA256 | 8dbd1e2602996765342d45cc902227f2d21f6b41f94e9cd1849319bab7a1eedc |
| SHA512 | 75ca3da08281917bcbc632c946191efb19eed8a9e760deaf3fbbb8398f2e4dbcb93be8f91bca87140a4dc175ac4b2ba8181b0e07a7a81c83f683f6b178682d5f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9751fcb3d8dc82d33d50eebe53abe314 |
| SHA1 | 7a680212700a5d9f3ca67c81e0e243834387c20c |
| SHA256 | ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7 |
| SHA512 | 54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709 |
memory/2368-233-0x0000000005EB0000-0x0000000006204000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8944479d22ac472c43525d12708312e8 |
| SHA1 | dd6ba21a970e5db7a766577bfa69e1655863eff4 |
| SHA256 | 900388eaf0c3a799ecd160794b365469bd024798fbd1163a91a2fb2576fb71d0 |
| SHA512 | b5c2a2369b9ec0d1a648a12939f5c79029274a9f4b7f6ab5ec85cab74c0cf0f991d4647827eddf6056ab764742c200f804bdd52271b44760723c2fae8b9564ff |
memory/2368-235-0x00000000068B0000-0x00000000068FC000-memory.dmp
memory/2368-236-0x000000006FD60000-0x000000006FDAC000-memory.dmp
memory/6084-250-0x0000000075950000-0x0000000075B65000-memory.dmp
memory/6084-248-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp
memory/6084-247-0x00000000058A0000-0x0000000005CA0000-memory.dmp
memory/6036-254-0x00007FFFD8050000-0x00007FFFD8245000-memory.dmp
memory/6036-253-0x0000000002430000-0x0000000002830000-memory.dmp
memory/6036-257-0x0000000075950000-0x0000000075B65000-memory.dmp
memory/2368-255-0x00000000078D0000-0x00000000078E1000-memory.dmp
memory/5720-259-0x00000000026F0000-0x00000000026FD000-memory.dmp