Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2023 19:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/kap-s/kaps-cheat/blob/main/kaps%20custom%20cheat.exe
Resource
win10v2004-20230831-en
General
-
Target
https://github.com/kap-s/kaps-cheat/blob/main/kaps%20custom%20cheat.exe
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1020320395158634589/fwKZGT0bv91EipWabWtmJOsr2Vr-67JbIPEKZ7gJTHnPAc6pXPQwW4-D81rYUie2_Fvt
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions kaps custom cheat.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions kaps custom cheat.exe -
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools kaps custom cheat.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools kaps custom cheat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kaps custom cheat.exe -
Executes dropped EXE 2 IoCs
Processes:
kaps custom cheat.exekaps custom cheat.exepid process 3624 kaps custom cheat.exe 4228 kaps custom cheat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 ip4.seeip.org 49 ip4.seeip.org 50 ip4.seeip.org 51 ip4.seeip.org 52 ip-api.com 65 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 kaps custom cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 kaps custom cheat.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4108 3624 WerFault.exe kaps custom cheat.exe 5052 4228 WerFault.exe kaps custom cheat.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S kaps custom cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S kaps custom cheat.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kaps custom cheat.exekaps custom cheat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kaps custom cheat.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kaps custom cheat.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 kaps custom cheat.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
msedge.exekaps custom cheat.exekaps custom cheat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer kaps custom cheat.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 kaps custom cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 164875.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1748 msedge.exe 1748 msedge.exe 4984 msedge.exe 4984 msedge.exe 1696 identity_helper.exe 1696 identity_helper.exe 1588 msedge.exe 1588 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe 2240 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kaps custom cheat.exekaps custom cheat.exedescription pid process Token: SeDebugPrivilege 3624 kaps custom cheat.exe Token: SeDebugPrivilege 4228 kaps custom cheat.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4984 wrote to memory of 5088 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 5088 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2808 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1748 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1748 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4692 4984 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kap-s/kaps-cheat/blob/main/kaps%20custom%20cheat.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaac8046f8,0x7ffaac804708,0x7ffaac8047182⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:82⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:12⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4612 /prefetch:82⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5896 /prefetch:82⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
C:\Users\Admin\Downloads\kaps custom cheat.exe"C:\Users\Admin\Downloads\kaps custom cheat.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3624 -s 22843⤵
- Program crash
PID:4108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9904793039407384882,1928773802194525224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4780 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3408
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2848
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3624 -ip 36241⤵PID:2968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1700
-
C:\Users\Admin\Downloads\kaps custom cheat.exe"C:\Users\Admin\Downloads\kaps custom cheat.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4228 -s 21682⤵
- Program crash
PID:5052
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 4228 -ip 42281⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5048656f46cbeec431fc9211b492b0210
SHA1472e28d665f77507f42fd6d4373d69efe4817fb6
SHA256b70bedb089a51bc48a6d94fdc9a44db7310d8ab1d5f17c0592e438a42efff050
SHA512ab8a2e36fb6fa2afb017f26c1e15249f4d76ae7fef0a5c6142d50b11072242d2fc74bec1ee0c7973a4ec3b3109c3e26a7b48b778343208644dcf806b74572c2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c73340f3939af860a26df8a3bbb6c20a
SHA17f1a773d94328e0143be2e065599cef80d75d87c
SHA2569b3fb0ca3851d9f064c9dbbd1089338d6c726599aed07c942b1a01a71b70de06
SHA512bd03c4bf70cdd22b36096efe2bdf16161f5567d60db9b6cd29f8acc40974c3ceb203df514d829aeb4bd1ab08781970d5019be034adc4e8ba3915de30d179f529
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
Filesize
5KB
MD57d0292f806bb257aa0826e096064435e
SHA1af66208aeb6162e9f990872947c911389f0e9923
SHA25670239bbe12f0e8183bbaf43252fba6f4679dbe5779b3142e0ffcdd3babaa4481
SHA51234bce704c59f35b6159ce02ee9f772aa34e0ba1e832f253cc38ae8db1a29356841f5b046474f6e42183a53c32c978eb83d48b58427e178d42d806fa4a2394684
-
Filesize
5KB
MD5d643830dfbbed2253b2ac24dbe2e3071
SHA1922ff288cec1a8c9c5a9bda95e3708ebf829cc63
SHA256165e5a4064a7c3eb1c048354181c02055fde21b861d22767a28c57ae3d81b839
SHA5125453e76ff1db8979ac4940b0f70bb28513408f236db99cb5bc2f2ca11e9587f2c436882c704921d042790653a28536529ab7b9e013eda24af046bafefa04a403
-
Filesize
5KB
MD5e8962eace8c1425e5eb405269afc7278
SHA1733d7809be32f455cb1f0a0b0b64c7619cc23cd2
SHA256f74a4378432878182c30fd211187bfc6483878bfd0049394bc0e574de26fbded
SHA512def0ab6a3dd74ba6dd7f000ec3a4567f0e0be2f804798f4e3a8e3148130971a35ec719b5a2fd8fb8a8cc81c6f5890129b8e7f5865eb9d622e647909c75521d2e
-
Filesize
24KB
MD5b2cf4d0049ace39b74eef79a55294004
SHA1d7c3ca52a379d2e60352e30270360f961bbb2ec0
SHA256f09ecec25a5a6280529f91f243579b90dff160b1432b685455031fd1dc4c4f6f
SHA51275dbba4e152552da37f9f7b5b8655c7034c070db3bdbc3c4ec20bc5e509c420df86f6f5ef0126ca21b3eb73fee1ca93d1b555896a51a95e806655de491dcbc16
-
Filesize
1KB
MD5ef6dcf73b662d04c19032d5cf3c48bda
SHA1f0d29638d2102f6901fa5b9de9485d65c7ab2192
SHA25619b2e0e0a92bde6dd67c3237193465e3fbee2919ea566d71c7a322c202c256c3
SHA512d4b5d219afcc0672ceaf454dbff8f4d5fd5cfde2de479404c7120d95461a7205fe13697affb3718f10b7dcc0cfc3f30a5bf61fedb1ac9e47a6c9c1a1ae79526a
-
Filesize
1KB
MD57b85bc3cdf69c6a344ae5bf4fff0d536
SHA16861070854f77cbdb0696e77b78769ebc977caa0
SHA256ade48334c2e299f870085c53cff21529dff9b810df18ad8e8a78462c557186bc
SHA5127295ed364050f9b82a9e4af92eef1e91637aa8453a25e5ad0649391aa09ad03a813e1176d6dc55f1ca937389bff241317cb9bdbadff5163941734ac35d05f5cf
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55a4ae906f00670c1e8dd5298bba1167d
SHA1aa7436d943788a4009eef95d52dc2ce1e128ea96
SHA2564368b0137a314eec61e36709165f29b18ec293392d190a85d01ef4ddc24d6b32
SHA5123bdad69ac0f09a3f546b569c2ff45e14b66ef46db70f5e882a11b7f4d9609159638a602b33e2289852905342131f37537beb89f4cbcaa4c262ca102695593377
-
Filesize
11KB
MD574b5d8a17be68fb39353b3763af5c9c7
SHA178257c97e4fdae8f2e45ed73e3ced30a016757a5
SHA256f6bcfa791a88a7ebe5f8031dee5ca9fe537f7ac26468283a7cc7c85367e5e4ed
SHA5128b84b4f8d3c5e32d48ee83467a7aade7d72f4c971a15324f065d2d82bb97493b7071f2dc5c39961ff285e981295abd0f952bf63ee68feb84f603201479030439
-
Filesize
11KB
MD5f6dd6e3c0382c3e8cb01819f2bfaba21
SHA100486386f80bd8fb2dcffefa8cd6098629f16914
SHA256b0b2a3a9afa241f77fe31e435e615428b6d74c1dae7454334e741ab81592d467
SHA512538b974db99a6935cffcee9daafb133d5ea4b27102d386b2922db3220fc9cb23d85ee3ceb52d065794bdac090d1056539d5f446886b6f9c6c3cda4037e369c86
-
Filesize
42KB
MD5d11da20bc7c32d6b6d2dd66b4463e1f3
SHA19f8441ae3a4b31fbc6abdbe18f87ab9885394d2c
SHA256e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672
SHA512f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7
-
Filesize
42KB
MD5d11da20bc7c32d6b6d2dd66b4463e1f3
SHA19f8441ae3a4b31fbc6abdbe18f87ab9885394d2c
SHA256e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672
SHA512f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7
-
Filesize
42KB
MD5d11da20bc7c32d6b6d2dd66b4463e1f3
SHA19f8441ae3a4b31fbc6abdbe18f87ab9885394d2c
SHA256e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672
SHA512f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7
-
Filesize
42KB
MD5d11da20bc7c32d6b6d2dd66b4463e1f3
SHA19f8441ae3a4b31fbc6abdbe18f87ab9885394d2c
SHA256e93f96f62d09571aa9bf1a3b0db743d99fe287c7eb1e0cc18d6dccf7909cd672
SHA512f288075d20b8bf197baf2ef23cbca121e2ff73b0ada90a9d811d4b90c6a6209f8c34092695070be7ad8d874cc9774661694a503b4419171457182784f0010cc7