Analysis Overview
SHA256
807365fb2ba6da0202b002ef59b76c7e5205cd7a20280b006403ca94ec700904
Threat Level: Known bad
The file DxHax - New.rar was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Modifies Windows Defender Real-time Protection settings
Async RAT payload
Detect Xworm Payload
AsyncRat
Xworm
Command and Scripting Interpreter: PowerShell
Modify Registry: Disable Windows Driver Blocklist
Executes dropped EXE
Checks computer location settings
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 01:30
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:05
Platform
win10-20240404-en
Max time kernel
315s
Max time network
882s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4248-0-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp
memory/4248-1-0x0000000000C00000-0x0000000000C26000-memory.dmp
memory/4248-3-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp
memory/4248-4-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp
memory/4248-5-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:56
Platform
win7-20240704-en
Max time kernel
843s
Max time network
844s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:58
Platform
win10-20240404-en
Max time kernel
1200s
Max time network
1182s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo" | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "91cdf5d5-c3824ee0-f" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 410704930736330c | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\artecore.xyz | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\MrtCache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdom = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomain = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomain = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "25" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 74f41fdd45e5da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\artecore.xyz\NumberOfSubd = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 90aa02ed45e5da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 769bab4146e5da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c81616d745e5da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "25" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{CCCAA9F8-38EC-4187-A361-0761A525F868} = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8c0d904b46e5da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
"C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
"C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | artecore.xyz | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 172.67.209.3:443 | artecore.xyz | tcp |
| US | 172.67.209.3:443 | artecore.xyz | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.106:443 | www.google.com | tcp |
| NL | 142.250.27.106:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 142.250.27.94:80 | o.pki.goog | tcp |
| NL | 142.250.27.94:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 106.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.102.250.142.in-addr.arpa | udp |
| US | 172.67.209.3:443 | artecore.xyz | tcp |
| US | 172.67.209.3:443 | artecore.xyz | tcp |
| NL | 142.250.27.94:80 | www.gstatic.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.169.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 244.73.46.23.in-addr.arpa | udp |
| GB | 184.28.176.104:443 | www.bing.com | tcp |
| GB | 184.28.176.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| US | 8.8.8.8:53 | youtu.be | udp |
| NL | 142.250.27.136:443 | youtu.be | tcp |
| NL | 142.250.27.136:443 | youtu.be | tcp |
| US | 8.8.8.8:53 | 136.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 142.250.27.94:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.27.190:443 | www.youtube.com | tcp |
| NL | 142.250.27.190:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 190.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.27.119:443 | i.ytimg.com | tcp |
| NL | 142.250.27.119:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 119.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr1---sn-aigzrn7z.googlevideo.com | udp |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.189.173.21:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| NL | 142.250.27.190:443 | www.youtube.com | tcp |
| NL | 142.250.27.190:443 | www.youtube.com | tcp |
| NL | 142.250.27.119:443 | i.ytimg.com | tcp |
| NL | 142.250.27.119:443 | i.ytimg.com | tcp |
| GB | 173.194.135.102:443 | rr1---sn-aigzrn7z.googlevideo.com | tcp |
| GB | 173.194.135.102:443 | rr1---sn-aigzrn7z.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 102.135.194.173.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| US | 20.189.173.21:443 | watson.telemetry.microsoft.com | tcp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp |
Files
memory/4404-0-0x00007FFC1ADA5000-0x00007FFC1ADA6000-memory.dmp
memory/4404-1-0x00007FFC1AAF0000-0x00007FFC1B490000-memory.dmp
memory/4404-3-0x00007FFC1AAF0000-0x00007FFC1B490000-memory.dmp
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
| MD5 | 78563d0035e1efbd4893ebfe5c531dd2 |
| SHA1 | 422a139897211fb59d72e575854b266f7ce85e7c |
| SHA256 | 3a4d442da6508560c48369d1e388ca9a6d4b71d1884fe2aa267b66f7da8f26e8 |
| SHA512 | d0562d9f5985334f081933bcf1b608b012a93149c8b022b3bae95004ef2aabe46c245043338ddf97ff2c82e0848152278617c0e675609676128c98de61991b54 |
memory/4332-11-0x00000000004B0000-0x00000000004EE000-memory.dmp
memory/4332-10-0x00007FFC187E3000-0x00007FFC187E4000-memory.dmp
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
| MD5 | c9e5ab8a4ca9c024a9c7ee2928589a9f |
| SHA1 | e3e9efcb92add817b599d60716e3145adfc68326 |
| SHA256 | db335459f68b4764704a113a44ad3dea7d1c97b868e2f59548ceb83af835f842 |
| SHA512 | 378f9e5ecf3be4e00d6fa08fef576641be5dd881fe5c19363160f1e0adfef6be1ba6bce6cccb2cff0e9b9a36a819799908bd67e8c58edeeaf3c5b0362e380341 |
memory/4404-16-0x00007FFC1AAF0000-0x00007FFC1B490000-memory.dmp
memory/3164-17-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3164-18-0x0000000000400000-0x000000000169A000-memory.dmp
memory/3164-23-0x00000000065A0000-0x00000000065A1000-memory.dmp
memory/3164-28-0x0000000006D90000-0x0000000006D91000-memory.dmp
memory/192-62-0x0000028B5BB20000-0x0000028B5BB30000-memory.dmp
memory/192-46-0x0000028B5BA20000-0x0000028B5BA30000-memory.dmp
memory/192-83-0x0000028B58DA0000-0x0000028B58DA2000-memory.dmp
memory/3164-106-0x00000000072E0000-0x00000000072E1000-memory.dmp
memory/3164-107-0x0000000007460000-0x0000000007461000-memory.dmp
memory/4332-143-0x00007FFC187E0000-0x00007FFC191CC000-memory.dmp
memory/4300-190-0x000002A80C010000-0x000002A80C110000-memory.dmp
memory/3528-212-0x0000021632040000-0x0000021632062000-memory.dmp
memory/3528-224-0x000002164A560000-0x000002164A5D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijzg0gih.t4a.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1504-288-0x000001FE65910000-0x000001FE65912000-memory.dmp
memory/1504-286-0x000001FE55450000-0x000001FE55452000-memory.dmp
memory/1504-283-0x000001FE551E0000-0x000001FE551E2000-memory.dmp
memory/1504-280-0x000001FE55700000-0x000001FE55800000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81957cd7233cd08a43006f46d15b4f60 |
| SHA1 | 8e901122d321c4cf30e0e90bba07138dfbed8ea9 |
| SHA256 | e39b2045f1cfd4b8d2de01b02a2075b6cc893bacade30af2db8969bed4de9d3e |
| SHA512 | 44427c9e68f512f875d42e796ddd96f0bb85798c816b8f611469582c9ebf286b88503d7f158b80ec94a9759016d61383898ebe505c331f04a005cfec8612eeda |
memory/1504-441-0x000001FE66A90000-0x000001FE66B90000-memory.dmp
memory/1504-453-0x000001FE55700000-0x000001FE55800000-memory.dmp
memory/1504-476-0x000001FE67C50000-0x000001FE67C52000-memory.dmp
memory/1504-460-0x000001FE66F30000-0x000001FE66F32000-memory.dmp
memory/1504-448-0x000001FE66C20000-0x000001FE66C22000-memory.dmp
memory/1504-444-0x000001FE66BF0000-0x000001FE66BF2000-memory.dmp
memory/1504-492-0x000001FE67FE0000-0x000001FE67FE2000-memory.dmp
memory/1504-490-0x000001FE67FD0000-0x000001FE67FD2000-memory.dmp
memory/1504-488-0x000001FE67FC0000-0x000001FE67FC2000-memory.dmp
memory/1504-486-0x000001FE67FB0000-0x000001FE67FB2000-memory.dmp
memory/1504-484-0x000001FE67F90000-0x000001FE67F92000-memory.dmp
memory/1504-482-0x000001FE67F70000-0x000001FE67F72000-memory.dmp
memory/1504-480-0x000001FE67F50000-0x000001FE67F52000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5PGROS7F\recaptcha__en[1].js
| MD5 | 1d96c92a257d170cba9e96057042088e |
| SHA1 | 70c323e5d1fc37d0839b3643c0b3825b1fc554f1 |
| SHA256 | e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896 |
| SHA512 | a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\NTYTWLVY\www.google[1].xml
| MD5 | b79781df2b468a4514f229d791332547 |
| SHA1 | c0b13d3253afdbad07d98126909eaafdcf517f1d |
| SHA256 | 060591899db7be90a0cf04bcdb16087903408ab154daad806f15292117e591ad |
| SHA512 | fb69f75ebdf45c5d4bf90a9e8bc8d842d9103bf881da3423851bf594fb63db9509c086e51350f2c8955da6dd71ec0547d6eb97a7b6b148122ccf929056df8bba |
memory/1504-575-0x000001FE6B180000-0x000001FE6B182000-memory.dmp
memory/1504-578-0x000001FE6BA00000-0x000001FE6BB00000-memory.dmp
memory/1504-577-0x000001FE6BA00000-0x000001FE6BB00000-memory.dmp
memory/1504-607-0x000001FE6B1B0000-0x000001FE6B1B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f9ec5ce73efb5b91d4fac29f8bae5207 |
| SHA1 | 898bc2a525cd85cd9a9e027767bcf71344b359a2 |
| SHA256 | 85f1cad80e08bd8d94e6a66d3504c569707441035283028f04403e15719fa70f |
| SHA512 | 6a55a54ef85454028062e572562347226c364d0ca08e5e2d29889a85dc160e540626aba6b941f35e5c3a344b52cbdbf1e410204ab3fa688aa9b43dc592657628 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1G6WS7EK\styles__ltr[1].css
| MD5 | 4adccf70587477c74e2fcd636e4ec895 |
| SHA1 | af63034901c98e2d93faa7737f9c8f52e302d88b |
| SHA256 | 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d |
| SHA512 | d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3 |
C:\Users\Admin\AppData\Roaming\i5kld8se3.cfg
| MD5 | ad2ee3633d027d2cc5eb4a188220f6c9 |
| SHA1 | e9347afcfbce8f23dc2d12c9bee58a848530bd44 |
| SHA256 | fb548726ea9e07220abca7a2dc9d8d4f4b4d9ef3cff9fcc322c1e28cd9a187f5 |
| SHA512 | 7d5ea8df50f6e632afb4ce15f99d8351372e9540cf1872f880b1aac5fd8014aef180ffb64d421e50d4d786984f1f4c89d0e9888b9c6ee521179762ecae6db9d1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1f4f43464332240597591069d6c98dd |
| SHA1 | 8c09114b8d454be3dc30e47a4f0b2435b7661610 |
| SHA256 | d22f7fde9bb5997a67b08b757ea3908a3bbc4eaec09c7b996e3f5ff81d72f958 |
| SHA512 | cf76d9c54b04a4ea40e4d026977249cad9cea4f72187b44dda2fd346ad45b37673d81cc5d25b9cc45795f1e8ca4ff14e2d9689dcaa9ce4f4b07b8c82b93dc84f |
memory/4332-1625-0x00007FFC187E3000-0x00007FFC187E4000-memory.dmp
memory/4332-1782-0x00007FFC187E0000-0x00007FFC191CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8S7W85J5\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\USYYQCUR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Appinfo.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | e935bc5762068caf3e24a2683b1b8a88 |
| SHA1 | 82b70eb774c0756837fe8d7acbfeec05ecbf5463 |
| SHA256 | a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d |
| SHA512 | bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | b06671710c232e5211bc2044f564c8b0 |
| SHA1 | d3e85786ab6507c1c255ceecbc4b545fb88338a7 |
| SHA256 | c37538d0a16e0a24dedb294590d5fd0ca7c5096b5510aa9895db2e92ed5c1f14 |
| SHA512 | e23cc0fd895099630124ec12a7c611d650165cd482b13d8700bec267e029cdf798036b04ccdf9556ec0c2f9cf74394c20ffc51fb6384df6da95722e1789cc9ef |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA
| MD5 | 3413c10143b0a3169d289bf9face40f3 |
| SHA1 | bc429a6d1274090b640bb1cb136eb82823a9607d |
| SHA256 | cfa5ba3b9abf5c458e58bc2092faa0ef29fc66784f57f5df12633c6800130141 |
| SHA512 | 387458eee3c81b4e50cda6a525057d75eb3ab88d9e07f089539eb55cfbfcdf72496483aced93e7acd86a0a4aaf15f55cafb509e172542c41a0e583c3649e2739 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA
| MD5 | 5e433f38738c0c04add5a592d2cd0357 |
| SHA1 | d20a5b7774275895c5db713a41d8b5c5cdf6090a |
| SHA256 | 17684d43678e88163ed848f5053a4346052ad54e1f851aaee1d7a3b075662c86 |
| SHA512 | a9a8640b124f9acba4fe52e7e55c3402a8cb2eeb0818ea6ce59d8c8c3d335d1624c0c3a83f808125c823d216deca4b35b1a81196a110bbfc2335b97cab5c0c6b |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495
| MD5 | 2c18c2017273e7c8c2f3d65222ea3cdc |
| SHA1 | 7deda2d488a001df37451fd88cb3366e1cdf5d5d |
| SHA256 | baf648900c379227a1e71d6f08b7622d9cf11b2f6a92fb0d592bc50572f96a9d |
| SHA512 | 4f9d77ee8091c87b67d688f16081f6f6610b558befaca403388bd7c56341e52f4bd565d0b7eff2c150b60e8b19eee03488b7714e94dda4d42d285a36caad3d95 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_BE32D9F1882B93E37445F58E05C44495
| MD5 | 9267c692dfaf4033a8df46055ea0d3a6 |
| SHA1 | 38b7e7ad6be6d56060f8b4dfa962198c500218ff |
| SHA256 | 4b022a384cc7d16672ebc36361b6270b65998d5e655f8a2eb90b58c93ebe8924 |
| SHA512 | d66fdd6197d44b805993f9e5c1d02244a14df721365b5c105de5b0140dff6769afc05f46694175e5ce252e260d3621244ad1bb65d8e9d7e2862b4e428afe1e3a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552
| MD5 | 9e80c561f5bcb18f0f468add63b3b91f |
| SHA1 | 499e7e5485feefac01c0f5829bb6f328a834a4bf |
| SHA256 | 5e2369ba659c05fb76a2390610fefeeaa5d5b0e9c3c57f19fa0c612c74b89dce |
| SHA512 | 6ce0b1d1ad4dbabc791a47c10d3f651d0cdf3baffe9dbd3942de5fa9324119e1b3cd0f506589aa00b2565439a5bac2d173808c074ca29d0cc88fd380088b4cb8 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552
| MD5 | 5a468d913da34cc7d13090710d92824d |
| SHA1 | 6453822adebb10e3689bfb3f0362f873bca7b6df |
| SHA256 | 254df80a71571e7991fd8432b7247501171900ce632e1208aab08df9bb205a8e |
| SHA512 | 32390d61069003f9f53a32ab83516d13fd8ba00ede760b22e2e3b5d503787e839f7ca882f0f7476b36a566cbd32a79bd82ec3f356a1a56545b5e7f99ee9b4626 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | db56dcf3237b6abf7f9a110279dd5347 |
| SHA1 | 3cf157915f7b185f9f8f0b3578fad7366ada8255 |
| SHA256 | 07f7a6f0ec54900aa76dcbc75d87b5412bbceb88d62b0448c4444d90a10c0b63 |
| SHA512 | ca522a58bfd544a0863f8aacfc9a3de5dbdd6d2da50e9ece44f830b6e46704faed3ecfd8c790efbd759972c615ec943fc0339bab7fa8b65878540893c2255a3f |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | ae415fc3aaafc1316b7f7a3ead539905 |
| SHA1 | c260e2024bdd9f7b1836c7502cbcbe0b2c1ad7cf |
| SHA256 | 52f1b8911bb6626f001158b65a85f5a1730fe80c37fd15b87f6c0fce779cb297 |
| SHA512 | 51a206ff86a64f27fba27d3776e289acc0620e1486c4cd12af7a991d3a7f313f217949b8b0b089de48cfc5311150f4bf2d22b7a55fae3d379599f705cd56075e |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\intersection-observer.min[1].js
| MD5 | e02d881229f4e5bcee641ed3a2f5b980 |
| SHA1 | 29093656180004764fc2283a6565178eb91b5ef3 |
| SHA256 | 8037c1f1e0e4d3d7955f591a14a4b4d090141f1d210ef8b793ce5b345f08f7f5 |
| SHA512 | f4e8e21b91ee33879a2295215cba91e12851891165fe3f9f98913022280ef8192fd3f5def06aa8ac1fbe6d43d09034b0bb8e29e8703366a012e1fde6ff2828db |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\web-animations-next-lite.min[1].js
| MD5 | 9e1f5b2285bce3a471297b1505058b57 |
| SHA1 | c0cbe8b0a96f32c25adbae33932188d495a4135c |
| SHA256 | 708021b0a03278843afdf5190777b25bead3458548e7c221ac1ff6f6e6e17bad |
| SHA512 | a10b9f0fa257580a1e44b5f756f99a149193d6b71f98590eba7bff2a6a3853c32a0d8d44a8967154eefab884d7964d148d38991393cc4785249f38253242099b |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\webcomponents-ce-sd[1].js
| MD5 | 2b26e985df91c84424c744d8557bba69 |
| SHA1 | 901e4665ee79cd7420139e39fcee2db0eea683ee |
| SHA256 | 4011a87b53c8fedc7e54076929d677a2d8f8cd76ab20ce4eb2e027778083cfcd |
| SHA512 | c9a27e9970123f2ae0d692834b6f1117f2f20d5835a1670a3bace470123471cd7754425976abccce4abac7612659bf31f755e3e8ad9ff807d0d3e74db4154a78 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\www-i18n-constants[1].js
| MD5 | 877a2b1590385d79323ef992abe9e961 |
| SHA1 | f2f65882785537d6f3eeba7f02ea233f9e55672f |
| SHA256 | ff474db3ea4409f034cbae6ae738bc80fb18734ccd38f87fcde90d02e11cfac3 |
| SHA512 | c7b9bda266c59a19476d7eaa3f6bc10d8d916345ff4195ee5932f5d5d884a487407552a29d576a9dd53dfd2588069c7376f660800f5ab7f8e1bea78cdd146e14 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\scheduler[1].js
| MD5 | d253fb13ad8f6827d24cf504b725eafa |
| SHA1 | 81ee8c43d98fbced10e03ae0023fc12c25e982d9 |
| SHA256 | 9510a0e5e9fc3d18f09b21b22515d4a13494293f1a9f9f3caea141e2083b8c9f |
| SHA512 | 2ea9a0b6b0e6505415e41efb7e124b59a61623466f4b810661f01af9f9ddc196c6c09ed6f8c592a320be134f0d92c2e733fa4594b200d867c5a8d63374ed56c3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\rs=AGKMywEHgOCWGFSiYszTGBszUeLWt1qt_w[1].css
| MD5 | 88d79c45434fb00d27d5b50626710b85 |
| SHA1 | 116e001e1753ee5d3ca6be4b08bc41c3b2f475b4 |
| SHA256 | 130d05c80a84f63d496b247d1e0ddf3b3c7edd7ed7f75f143943d41e69b6d1d4 |
| SHA512 | 859b299964cd2c4c7c0d0d0fb9de64f422e7dc4fbfdfd6a3e3484586e1d568a25f1356b735101cf41902bea0b6c860829b3e3e419f0d11d95aca77b942dafb4d |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5PGROS7F\network[1].js
| MD5 | 6084f9dde4da508b0dd3876d3a560286 |
| SHA1 | 900498368c448fca108b3e259babd629a3430a96 |
| SHA256 | 30171bb40dfd302f11fe055cbae26c0afa1a1066412962cfb37c027b64e90ad4 |
| SHA512 | 6679b32664bd0885abb1223ec2ae7d8b4c7c448452f554b3edc28b05af73eb979bdabac598f5c95e83629a8cf6c9deeb1b57fa19ce719f2cce36f66187832f5b |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\spf[1].js
| MD5 | bf025ef658ddb27110200e1687069834 |
| SHA1 | da4204f7adab89b2805b193ff5e843be51e692c0 |
| SHA256 | bd0aa35d6b45603af59c4d945dc2e8a672827aca624ae6e8e7b8e9b212b1bf72 |
| SHA512 | f6a1f96709144d14d1964a4de8df900e908a2d146cf7ea38f38fbe5d00e2eecdce7808d556661188b769ad64327378a1e4a50edfffafabc1df66da5282cf166d |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\base[1].js
| MD5 | d9037f7056697db2ddac40192fde7f29 |
| SHA1 | 88cd043c08ec7f832f43206608228027fd5c1d39 |
| SHA256 | a78d836f9b4018d062b329ce524f040c45fed2e71f8c81c1d70a9661a99e6257 |
| SHA512 | bb426cbc2de491d94988bf6fb523b4a16084e14122f346c194d048131557f097cde2b7e5b77f6e141998cb6a625d17ae31905b5266ed30dbf1b39c08f2ce36a9 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_4FE99CA8B2B48146026AB576A9AEFDDA
| MD5 | 16cd3763be6154081f4184f000ff29a3 |
| SHA1 | ccb6b155c58e35f610726a21464f6def6167082a |
| SHA256 | 11603ea2e8812c18115e12b1463663c6caf2166088f42dfd036526487e080c27 |
| SHA512 | 22a11e1e58fbb4a16a765eca5a4b8b6a16346dccabc472f7eb227bc40b7798a8025bbc2a7895dbaec929dcce439259e4df509e3ff483f8afaec40efc92fd4bd6 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_4FE99CA8B2B48146026AB576A9AEFDDA
| MD5 | d341e0f06afae0589bb503b5890c45e2 |
| SHA1 | 700288aeeeacbbffde678cd6b504b04a38aefbb7 |
| SHA256 | 5963a0d9a88cc9e28d913e48655567bf21c8f32f7697cf6337c6950710b4d855 |
| SHA512 | 11e11d7be98cd8c5851539a1ebfb43fddb395735f5714cb943b9e435108598e03fa40af2339691782741e124e743ed69732002164577282782cb5b7e0bad5e29 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\www-main-desktop-player-skeleton[1].css
| MD5 | 4326cd919d56a62e61d337311ebd711d |
| SHA1 | a5af4bc0ac40fdd1377dd7d5ea686e703451b7ed |
| SHA256 | c649cebb3e80574123138dbd321b259dabca335aa73a997f8ae1f9682914836c |
| SHA512 | 32cbccf0323a11e66b06b7d540b8fc983d215b002f64853c86832ca98cbcbfaac68acde9a3648670c6d721f13ae11e5586715f26bbc906156585f5d065eeed7d |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\www-main-desktop-watch-page-skeleton[1].css
| MD5 | 64c8e3b11cfffc8ebf2240e4f46ab492 |
| SHA1 | 71276680811731f983502e477a87e87cfe72d75f |
| SHA256 | 3acc199c41eb3c884ee9884c15e6b78975499be2255aa203dba38ef24440181c |
| SHA512 | 497a48233bb198e05517e2cba003c2c5ba25183e1654b5b8252b9823f0859497ccab66a77e243238b27ea6eb826ae4fc72efb2f32b2b378edee7f9dfb87f4756 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\www-player[1].css
| MD5 | 5e3e46a47dd5c466759e75037e2afc93 |
| SHA1 | b5cd6705696ad9093a1d0525a448d093f73ccae6 |
| SHA256 | 80847ee5ecbcf465f62717f5e0423da22592be75747b91ac1f43149b070f314d |
| SHA512 | fa2e4781ee19650b270d7deccb9606dca33261f9eed68a25de93403212fb54d4d104f97f9628cd1a2a648cd2fdb43f4baaa17dc374670277af3d2ac3b0c1fea5 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\www-onepick[1].css
| MD5 | 9ace9ca4e10a48822a48955cbd3f94d0 |
| SHA1 | 1f0efa2ee544e5b7a98de5201fb8254b6f3eb613 |
| SHA256 | f8fdbb9c5cdceb1363bb04c5e89b3288ea30d79ef1a332e7a06c7195dd2e0ec4 |
| SHA512 | 25354aeecb224fd6d863c0253cd7ad382dce7067f4147790ee0ce343f8c3e0efb84e54dd174116e7ad52d4a7e05735039fa1085b739abbe80f9e318e432eed73 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\css2[1].css
| MD5 | d3ba4265c51f67eee68700ad71c86e2d |
| SHA1 | deb7262156fd88684458104797b883227a105d6b |
| SHA256 | 8b219ede56fd2c35318b6e9da10833ed74e4a30a32dd6e368c00e5feef9c0e8f |
| SHA512 | 926067c174bdef92a97574d13200bd6cae081562a1c9830965d197b3b43e751250fced4dab78c240f4acfe4a2d29fdda56337bac5e0ec7f3c9ddeab1cc0cbab3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\79SZ112Y\KFOlCnqEu92Fr1MmEU9vBg[1].woff2
| MD5 | 05ba8fbe92bfa8e43c4f476de1befe73 |
| SHA1 | 6e25533e5832d2007c366973d50437b5ca3ef195 |
| SHA256 | 4d2de69f3d7ccb50ab915754c66ae9a4503c3bb8eb5e594c56b46f4cd2fdb57e |
| SHA512 | 5b4ce494c7bf931668812f51048a3c45129baca5ca01b294257b0c59d31e9d9a94b21f3d37157106498968f6baf500aa4fc8781122d7b68a5e634917417f42e6 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SLAUSJ2C\KFOmCnqEu92Fr1Me4A[1].woff2
| MD5 | 3a1d827d4c9cea1a4d9ac216bf6a3d0b |
| SHA1 | b3464ccd91897b1db6cf5eb06e7a4f89f31edb94 |
| SHA256 | cc7b21390d89052da348cf014a9f38412956b535ba362d5021cf9b2707f03df6 |
| SHA512 | e2d8c5fc730ab3e648e2dca07f462e993e2125d777b16a5fe393d1eb3a2efeebefb65a7bacd058ae04b3a6b3e0883f6952824692ae28696011052c7737bbb19f |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5PGROS7F\KFOlCnqEu92Fr1MmSU5vBg[1].woff2
| MD5 | 52dbd6a925c592fc31e569a0c91b9c90 |
| SHA1 | 43cf4017fd1d93c81110380abc9ab0a757c44c31 |
| SHA256 | 47ee31cef64cd5a8df6f2ad9db7cf3137b163cbca0b7881a124df98cc575e1d9 |
| SHA512 | 5be9095bd2805b09764e247e27583e03d523a0b3a15c108ad02a25925a5fbb8a0729c03cd53d68664d41e67c621cc1eddc7867d28713250ecd607736e61d4139 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk
| MD5 | 8d5c9faaa9df8b880535664f9ceb0212 |
| SHA1 | c05f14e10ce93d46fe7a5dc8ca949c16a829e252 |
| SHA256 | 9e5254a0f28c38b6bec55ad8d80ab7f0dc39ca5b3cd46ce2b8950a20bf7ca07e |
| SHA512 | ae875c7f2643fa9f6a740dbc5e1762d0108dea313d586824527ef48452805491ea71941b00f6897d75fbf72d2e65b326b11e35f3ce8358c97dfc336867324cbd |
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:03
Platform
win7-20240705-en
Max time kernel
1183s
Max time network
1193s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo" | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
"C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
"C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
C:\Windows\system32\taskeng.exe
taskeng.exe {3320FAE9-8169-4A5B-A5C9-C81B317D5FC4} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp |
Files
memory/1736-0-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
| MD5 | 78563d0035e1efbd4893ebfe5c531dd2 |
| SHA1 | 422a139897211fb59d72e575854b266f7ce85e7c |
| SHA256 | 3a4d442da6508560c48369d1e388ca9a6d4b71d1884fe2aa267b66f7da8f26e8 |
| SHA512 | d0562d9f5985334f081933bcf1b608b012a93149c8b022b3bae95004ef2aabe46c245043338ddf97ff2c82e0848152278617c0e675609676128c98de61991b54 |
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
| MD5 | c9e5ab8a4ca9c024a9c7ee2928589a9f |
| SHA1 | e3e9efcb92add817b599d60716e3145adfc68326 |
| SHA256 | db335459f68b4764704a113a44ad3dea7d1c97b868e2f59548ceb83af835f842 |
| SHA512 | 378f9e5ecf3be4e00d6fa08fef576641be5dd881fe5c19363160f1e0adfef6be1ba6bce6cccb2cff0e9b9a36a819799908bd67e8c58edeeaf3c5b0362e380341 |
memory/1748-13-0x0000000001200000-0x000000000123E000-memory.dmp
memory/1736-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2212-16-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2212-14-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2212-18-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2212-19-0x0000000000400000-0x000000000169A000-memory.dmp
memory/2756-26-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/2756-27-0x0000000002080000-0x0000000002088000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HZMR1QO0QLXXLQJ21O2W.temp
| MD5 | 369591d65ab09426513f4b7bf41323dc |
| SHA1 | 81497ea6c0ab0740cff87bc58548deae0d58ac16 |
| SHA256 | 2ae69b6017142da203049e9ed57e74a9e6379f7772a4f99a196f278fbbc14ed3 |
| SHA512 | ddce5ec0e90f524cbc96fb2e77b503ed4baca8873c1ab25e6de9b8516fb7cd4c9a4086cb79bc564d4c94b4b8707714b28558fe324aff7d1303615fe571be4092 |
memory/2884-33-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2884-34-0x0000000001F00000-0x0000000001F08000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1736-49-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/3068-53-0x0000000000970000-0x00000000009AE000-memory.dmp
memory/924-56-0x0000000000C60000-0x0000000000C9E000-memory.dmp
memory/1044-58-0x0000000001020000-0x000000000105E000-memory.dmp
memory/2548-60-0x0000000000170000-0x00000000001AE000-memory.dmp
memory/2408-62-0x0000000000D60000-0x0000000000D9E000-memory.dmp
memory/1660-64-0x0000000001220000-0x000000000125E000-memory.dmp
memory/1672-66-0x0000000000150000-0x000000000018E000-memory.dmp
memory/264-68-0x0000000000110000-0x000000000014E000-memory.dmp
memory/1560-70-0x0000000000C30000-0x0000000000C6E000-memory.dmp
memory/264-76-0x00000000000A0000-0x00000000000DE000-memory.dmp
memory/2528-78-0x0000000001170000-0x00000000011AE000-memory.dmp
memory/1308-81-0x0000000001260000-0x000000000129E000-memory.dmp
memory/672-84-0x0000000001360000-0x000000000139E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:06
Platform
win10v2004-20240802-en
Max time kernel
417s
Max time network
1137s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4116-0-0x00007FFE6E443000-0x00007FFE6E445000-memory.dmp
memory/4116-1-0x0000000000920000-0x0000000000946000-memory.dmp
memory/4116-3-0x00007FFE6E440000-0x00007FFE6EF01000-memory.dmp
memory/4116-4-0x00007FFE6E440000-0x00007FFE6EF01000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:12
Platform
win10-20240404-en
Max time kernel
315s
Max time network
866s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26.06.2024\uninstall.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:12
Platform
win10v2004-20240802-en
Max time kernel
1194s
Max time network
1200s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26.06.2024\uninstall.cmd"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4200,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:54
Platform
win10-20240404-en
Max time kernel
315s
Max time network
887s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 3856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 3856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 3856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:57
Platform
win10v2004-20240802-en
Max time kernel
428s
Max time network
1152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 388 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 388 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 388 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:57
Platform
win11-20240802-en
Max time kernel
440s
Max time network
1162s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4596 wrote to memory of 3644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4596 wrote to memory of 3644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4596 wrote to memory of 3644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.1.month.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:03
Platform
win10-20240611-en
Max time kernel
367s
Max time network
871s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\System.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:03
Platform
win7-20240705-en
Max time kernel
841s
Max time network
846s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\System.Net.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 01:44
Platform
win10v2004-20240802-en
Max time kernel
7s
Max time network
4s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\System.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:05
Platform
win7-20240729-en
Max time kernel
719s
Max time network
720s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe"
Network
Files
memory/2744-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp
memory/2744-1-0x0000000000BA0000-0x0000000000BC6000-memory.dmp
memory/2744-3-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp
memory/2744-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:07
Platform
win11-20240802-en
Max time kernel
438s
Max time network
1157s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\ZGsg7Rz25btLV3b.exe"
Network
Files
memory/3140-0-0x00007FFF7B8B3000-0x00007FFF7B8B5000-memory.dmp
memory/3140-1-0x0000000000D10000-0x0000000000D36000-memory.dmp
memory/3140-3-0x00007FFF7B8B0000-0x00007FFF7C372000-memory.dmp
memory/3140-4-0x00007FFF7B8B0000-0x00007FFF7C372000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:03
Platform
win10v2004-20240802-en
Max time kernel
1200s
Max time network
1203s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo" | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "f1e7b87d-9a93d34d-d" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = b55a3e8d5bb492ab | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
"C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
"C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://artecore.xyz/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffe9e6646f8,0x7ffe9e664708,0x7ffe9e664718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4316 /prefetch:2
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | artecore.xyz | udp |
| US | 172.67.209.3:443 | artecore.xyz | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 3.209.67.172.in-addr.arpa | udp |
| NL | 142.250.27.99:443 | www.google.com | tcp |
| NL | 142.250.27.99:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| NL | 142.250.27.99:443 | www.google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 142.250.27.99:443 | www.google.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp |
Files
memory/4072-0-0x00007FFE9E325000-0x00007FFE9E326000-memory.dmp
memory/4072-2-0x00007FFE9E070000-0x00007FFE9EA11000-memory.dmp
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
| MD5 | 78563d0035e1efbd4893ebfe5c531dd2 |
| SHA1 | 422a139897211fb59d72e575854b266f7ce85e7c |
| SHA256 | 3a4d442da6508560c48369d1e388ca9a6d4b71d1884fe2aa267b66f7da8f26e8 |
| SHA512 | d0562d9f5985334f081933bcf1b608b012a93149c8b022b3bae95004ef2aabe46c245043338ddf97ff2c82e0848152278617c0e675609676128c98de61991b54 |
memory/4072-12-0x00007FFE9E070000-0x00007FFE9EA11000-memory.dmp
memory/4768-14-0x00007FFE9BC73000-0x00007FFE9BC75000-memory.dmp
memory/4768-16-0x0000000000570000-0x00000000005AE000-memory.dmp
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
| MD5 | c9e5ab8a4ca9c024a9c7ee2928589a9f |
| SHA1 | e3e9efcb92add817b599d60716e3145adfc68326 |
| SHA256 | db335459f68b4764704a113a44ad3dea7d1c97b868e2f59548ceb83af835f842 |
| SHA512 | 378f9e5ecf3be4e00d6fa08fef576641be5dd881fe5c19363160f1e0adfef6be1ba6bce6cccb2cff0e9b9a36a819799908bd67e8c58edeeaf3c5b0362e380341 |
memory/4072-25-0x00007FFE9E070000-0x00007FFE9EA11000-memory.dmp
memory/4972-26-0x0000000003500000-0x0000000003501000-memory.dmp
memory/4972-28-0x0000000000400000-0x000000000169A000-memory.dmp
memory/4972-49-0x0000000006D50000-0x0000000006D51000-memory.dmp
memory/4972-59-0x00000000085C0000-0x00000000085C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2783c40400a8912a79cfd383da731086 |
| SHA1 | 001a131fe399c30973089e18358818090ca81789 |
| SHA256 | 331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5 |
| SHA512 | b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685 |
memory/4972-70-0x000000000A810000-0x000000000A811000-memory.dmp
memory/4972-80-0x000000000CD60000-0x000000000CD61000-memory.dmp
memory/4972-78-0x000000000CBF0000-0x000000000CBF1000-memory.dmp
\??\pipe\LOCAL\crashpad_3460_TQQLFURDBAUCFZNV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ff63763eedb406987ced076e36ec9acf |
| SHA1 | 16365aa97cd1a115412f8ae436d5d4e9be5f7b5d |
| SHA256 | 8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c |
| SHA512 | ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 49c32e8e248b9efcf5eb8e58b7ad00f8 |
| SHA1 | 10719852dac4ea1340a0466cf369181295185edc |
| SHA256 | c53df21fcbcffcd7075085496d4ac4b3466f4c5374dc6d9dc44632216f0e4b35 |
| SHA512 | d7cac9088d2c5154d2e842bdfb7151f0746a65b37cf6634bb56e544ab849c1830b3e9bc070491236c8941d7da0652a267322c3213c7244a247f45f90cec174e7 |
memory/4768-133-0x00007FFE9BC70000-0x00007FFE9C731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | 3e552d017d45f8fd93b94cfc86f842f2 |
| SHA1 | dbeebe83854328e2575ff67259e3fb6704b17a47 |
| SHA256 | 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6 |
| SHA512 | e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9 |
memory/3152-253-0x0000020A3E140000-0x0000020A3E162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4xvru4r.boe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/4972-290-0x000000000C940000-0x000000000C941000-memory.dmp
memory/3252-299-0x000002E77EB60000-0x000002E77EBA8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd98baf5a9c30d41317663898985593b |
| SHA1 | ea300b99f723d2429d75a6c40e0838bf60f17aad |
| SHA256 | 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96 |
| SHA512 | bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c0bd07f606dff5a12511687efb4ad95c |
| SHA1 | 74efee68c54bb886a047da76e904fc34dc353655 |
| SHA256 | 58becbed58b354a2e27acf709ccc48bd675f7883c32b762bb76432d5b612fe41 |
| SHA512 | 96a10126d9f4f54a5899f8e9a4768ec929fce1013ff4915450819fb0d370ffe33f88ddf4fd1ce69f4b1e5522d0e3628f6920cd450447222246c7312939b84590 |
C:\Users\Admin\AppData\Roaming\i5kld8se3.cfg
| MD5 | ad2ee3633d027d2cc5eb4a188220f6c9 |
| SHA1 | e9347afcfbce8f23dc2d12c9bee58a848530bd44 |
| SHA256 | fb548726ea9e07220abca7a2dc9d8d4f4b4d9ef3cff9fcc322c1e28cd9a187f5 |
| SHA512 | 7d5ea8df50f6e632afb4ce15f99d8351372e9540cf1872f880b1aac5fd8014aef180ffb64d421e50d4d786984f1f4c89d0e9888b9c6ee521179762ecae6db9d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e3ffde604e7cd91dbdec1c92e09cb1c3 |
| SHA1 | 9e8e4120fea18250a4a1ecef8c2677a56553b7ec |
| SHA256 | 1ccf4a58850e4675d7c345d40b718a005f9c1970392acaabf7c9c328b4206fe9 |
| SHA512 | 0314f465d4f3ae25872447e69f0ec1a79c0e2e696ff71456e44977a7fb697ccfa684902aab379f06bcb7d4024d47332f6009742dfb9e4c647c79d3ea2db25cc8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3ed794a7800aafb4deef2a60aee0434b |
| SHA1 | 3348ea26dfc8f8b3fe6cdf8be37ec46f4bb59424 |
| SHA256 | 4e3808e70703c1122dde66924769b5c60e78eaa9dcb1ab0ac70a89962ec7d57d |
| SHA512 | bfbfa18cfe92373b3a0e7eca409e23b3ab9f40d15bd9c4575f7b9bf81dbc30f6e3778c4c2c55da9098174e60b688002a8e714eff34a4101d1ed56afebfa29879 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 85ce6ae8425597335a0ffec3652e2dbc |
| SHA1 | 6c23862ccacdfbf462052f4a6c695f20dd840a6b |
| SHA256 | a73c1a728ffcb0299d3908f17dc93717efcf6a250a6bea58e904aa950840f836 |
| SHA512 | 213be79a9c1c0fa2728e1c8b24a5f493e6f4a62a571f96c9a8cb7764e97b5e85966bf3af7e8c62bf41c9cabd24bf9156dee7847dd40403fedaa8992cd83aefa3 |
memory/4972-1089-0x000000000C940000-0x000000000C941000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 07053fd8532d9be960edff4031e9392a |
| SHA1 | ebe503d728c84dcab3e34faf43bd43618271b6bf |
| SHA256 | aade6b83b731e30a80904304fc2f706e836d582488a305142e9ea17cc2708766 |
| SHA512 | 5fcabf75315b4b678f083cc88f1c9ff98c72863aadf2f4e2026610a782625d2967767f17e4c7a7cc5f27c054bd2784d27926349f947f9698c7d7831b245bd499 |
memory/4768-1304-0x00007FFE9BC73000-0x00007FFE9BC75000-memory.dmp
memory/4972-1426-0x0000000006CD0000-0x0000000006CD1000-memory.dmp
memory/4768-1443-0x00007FFE9BC70000-0x00007FFE9C731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 7c907744c672b74c32e476bb32d6dc10 |
| SHA1 | 88996e4cd1ef5f29eac257a88c464bc051939513 |
| SHA256 | 8e937be53f4b614c3fe815454eab8bef6adff99ab8217165952984c94a4fea15 |
| SHA512 | e1d99765c12bd441989b68bebb527f3f619083a92a5724519d26ba5c38eab625c559da9d0f86e43eeaab3dace3e5c76d9f5469f1d700071de0b97a52878840c4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Appinfo.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:03
Platform
win11-20240802-en
Max time kernel
1200s
Max time network
1197s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
| N/A | N/A | C:\ProgramData\Appinfo | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo" | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "8900883c-487da22d-d" | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 9018fbcd16716e39 | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\LocalnrIszSVIvh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Appinfo | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
"C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
"C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://artecore.xyz/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff09403cb8,0x7fff09403cc8,0x7fff09403cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15646390107832664670,6820111454584713752,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6072 /prefetch:2
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.21.53.49:443 | artecore.xyz | tcp |
| NL | 142.250.27.99:443 | www.google.com | tcp |
| NL | 142.250.27.99:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| NL | 142.250.27.99:443 | www.google.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 142.250.27.99:443 | www.google.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp | |
| TR | 85.105.15.233:5555 | tcp |
Files
memory/4820-0-0x00007FFEF77B5000-0x00007FFEF77B6000-memory.dmp
memory/4820-1-0x00007FFEF7500000-0x00007FFEF7EA1000-memory.dmp
memory/4820-10-0x00007FFEF7500000-0x00007FFEF7EA1000-memory.dmp
C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
| MD5 | 78563d0035e1efbd4893ebfe5c531dd2 |
| SHA1 | 422a139897211fb59d72e575854b266f7ce85e7c |
| SHA256 | 3a4d442da6508560c48369d1e388ca9a6d4b71d1884fe2aa267b66f7da8f26e8 |
| SHA512 | d0562d9f5985334f081933bcf1b608b012a93149c8b022b3bae95004ef2aabe46c245043338ddf97ff2c82e0848152278617c0e675609676128c98de61991b54 |
memory/3568-18-0x0000000000730000-0x000000000076E000-memory.dmp
C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
| MD5 | c9e5ab8a4ca9c024a9c7ee2928589a9f |
| SHA1 | e3e9efcb92add817b599d60716e3145adfc68326 |
| SHA256 | db335459f68b4764704a113a44ad3dea7d1c97b868e2f59548ceb83af835f842 |
| SHA512 | 378f9e5ecf3be4e00d6fa08fef576641be5dd881fe5c19363160f1e0adfef6be1ba6bce6cccb2cff0e9b9a36a819799908bd67e8c58edeeaf3c5b0362e380341 |
memory/3568-14-0x00007FFEF4F73000-0x00007FFEF4F75000-memory.dmp
memory/4820-25-0x00007FFEF7500000-0x00007FFEF7EA1000-memory.dmp
memory/4868-26-0x0000000001890000-0x0000000001891000-memory.dmp
memory/4868-27-0x0000000000400000-0x000000000169A000-memory.dmp
memory/4868-42-0x0000000006C20000-0x0000000006C21000-memory.dmp
memory/4868-48-0x0000000006E00000-0x0000000006E01000-memory.dmp
memory/4868-50-0x0000000006E00000-0x0000000006E01000-memory.dmp
memory/4868-66-0x0000000006E00000-0x0000000006E01000-memory.dmp
memory/4868-68-0x0000000006E00000-0x0000000006E01000-memory.dmp
memory/4868-74-0x0000000006E00000-0x0000000006E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea667b2dedf919487c556b97119cf88a |
| SHA1 | 0ee7b1da90be47cc31406f4dba755fd083a29762 |
| SHA256 | 9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f |
| SHA512 | 832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72 |
\??\pipe\LOCAL\crashpad_1244_RHGDKTNBDRUGAJMG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2ee16858e751901224340cabb25e5704 |
| SHA1 | 24e0d2d301f282fb8e492e9df0b36603b28477b2 |
| SHA256 | e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c |
| SHA512 | bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cb5e3824-5990-4ac0-8ec1-25b586b71405.tmp
| MD5 | 305d54f2043db1a83b352b6499837c9c |
| SHA1 | be67cad4e9f9d71c8e2458319e3cc983ee0b4459 |
| SHA256 | 86525c73b78166d41672f50f2069890784eed6b883ac46bc47608c4037006dc1 |
| SHA512 | 32d019ca0247e1a7dad1df008d3a80b55f30bc142e390c8fd15709e2085df1dbe1d5484582294e785425dcd282b2891b7dda6fa34d67060e9e4a9891d5b24f0c |
memory/3568-146-0x00007FFEF4F70000-0x00007FFEF5A32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | 3e552d017d45f8fd93b94cfc86f842f2 |
| SHA1 | dbeebe83854328e2575ff67259e3fb6704b17a47 |
| SHA256 | 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6 |
| SHA512 | e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hg2qnur5.igo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/412-211-0x000001C65CE30000-0x000001C65CE52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6903d57eed54e89b68ebb957928d1b99 |
| SHA1 | fade011fbf2e4bc044d41e380cf70bd6a9f73212 |
| SHA256 | 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52 |
| SHA512 | c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8cb7f4b4ab204cacd1af6b29c2a2042c |
| SHA1 | 244540c38e33eac05826d54282a0bfa60340d6a1 |
| SHA256 | 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6 |
| SHA512 | 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e |
C:\Users\Admin\AppData\Roaming\i5kld8se3.cfg
| MD5 | ad2ee3633d027d2cc5eb4a188220f6c9 |
| SHA1 | e9347afcfbce8f23dc2d12c9bee58a848530bd44 |
| SHA256 | fb548726ea9e07220abca7a2dc9d8d4f4b4d9ef3cff9fcc322c1e28cd9a187f5 |
| SHA512 | 7d5ea8df50f6e632afb4ce15f99d8351372e9540cf1872f880b1aac5fd8014aef180ffb64d421e50d4d786984f1f4c89d0e9888b9c6ee521179762ecae6db9d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 527aab9431bfa4110cb95a25b9960b52 |
| SHA1 | dfa86d9f9641efba3dede581276cb3b331aebef3 |
| SHA256 | 90e41cbb1e5b8b3c2ff18907b32fc550d471156792cdb0a8a05ff5afb4d93248 |
| SHA512 | 0514edb5686433870115116f2ab2b2e219cdf6cacbd20d1ae55895e5b77e80d6dabfec51a4ce6604410ad84ffa4602ac42e87347ef6a162974fb2a380fde5961 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 915dfb7281981084a5c8a24cc753b360 |
| SHA1 | 574e746636d7eb6fe3804675cf48f82dee0c2bba |
| SHA256 | 3b1394f4327ee58a54b22d0b9bcd7aca1deb484834155f158840d6d683ec5fc3 |
| SHA512 | b14c989b58c86544728b38e4df340ef0140a808219a29bfb2f4c58e5c17b3d0411cf6b572a4c876220abca4d97f9b9367ed3059cff05c656460d90afd64a92db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1b879e9b796af788dce8518b9442f1c8 |
| SHA1 | d11b57a498af4ee24686d15f180bfa3bf29f9103 |
| SHA256 | df1cb0bf1091533183a1f0eb3b9bc29cab341bf8881b00998b3328bccfe29b2a |
| SHA512 | a2381fbcca338a750e9739ec25784e14bb7db55401dbafab357b36fd466ca39eded9b1f43505855f24cc861f68cfe3541466c33b1638c3664b9e9731837a0531 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a549ed66f9e13526b21e4bcd0d6b846e |
| SHA1 | 397dcab64861fb31ec20b81b2c55b15699c043c4 |
| SHA256 | 907bcb9f64d9724752f047079068958af67468ba2bd8bdd347138379029c2937 |
| SHA512 | f37276bded16d444f198eb899dcd146de1c668e54e7f6ee6300435616d3033e545e4cdbe62ae040eb09d3cd83d9fbb29fd428acb5a4371cffc46d863d106bf08 |
memory/3568-1072-0x00007FFEF4F70000-0x00007FFEF5A32000-memory.dmp
memory/4868-1197-0x0000000006DA0000-0x0000000006DA1000-memory.dmp
memory/4868-1450-0x0000000006DA0000-0x0000000006DA1000-memory.dmp
memory/4868-2168-0x00000000019C0000-0x00000000019C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 543a480c90b28699344c8dbd45984b85 |
| SHA1 | eafd79e0aca54cc3c60507c25c597024fd15da84 |
| SHA256 | fda0bc3a7a88dcb1da0245492f09522941f4a57f69b28dbb439676ae2737d4cd |
| SHA512 | fcc90cc2bf07125cbc803c377ef69edd2a729e0dfba84610e6c06f39d2b845f9c92e3bcab82ccb3d47a9bf7251623f29f24796a4d911a2b5d348813096833f71 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Appinfo.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
memory/4868-3721-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-4470-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-4733-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-5496-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-5685-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-6270-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-6368-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-7050-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-7667-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-8122-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-8220-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-8473-0x00000000019C0000-0x00000000019C1000-memory.dmp
memory/4868-8839-0x00000000019C0000-0x00000000019C1000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:12
Platform
win7-20240729-en
Max time kernel
837s
Max time network
838s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\26.06.2024\uninstall.cmd"
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:13
Platform
win11-20240802-en
Max time kernel
444s
Max time network
1166s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26.06.2024\uninstall.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-03 01:30
Reported
2024-08-03 02:04
Platform
win11-20240802-en
Max time kernel
436s
Max time network
1158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26.06.2024\System.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |