Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 10:10
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
lumma
https://questbehavixoporpo.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Setup.exeSetup.exepid Process 4168 Setup.exe 3848 Setup.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Setup.exeSetup.exedescription pid Process procid_target PID 4168 set thread context of 2376 4168 Setup.exe 124 PID 3848 set thread context of 4472 3848 Setup.exe 127 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exemsedge.exetaskmgr.exepid Process 1892 msedge.exe 1892 msedge.exe 1124 msedge.exe 1124 msedge.exe 3052 identity_helper.exe 3052 identity_helper.exe 1928 msedge.exe 1928 msedge.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe 4256 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 2500 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid Process 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
7zFM.exe7zFM.exe7zG.exetaskmgr.exetaskmgr.exedescription pid Process Token: SeRestorePrivilege 2500 7zFM.exe Token: 35 2500 7zFM.exe Token: SeSecurityPrivilege 2500 7zFM.exe Token: SeRestorePrivilege 4808 7zFM.exe Token: 35 4808 7zFM.exe Token: SeRestorePrivilege 2416 7zG.exe Token: 35 2416 7zG.exe Token: SeSecurityPrivilege 2416 7zG.exe Token: SeSecurityPrivilege 2416 7zG.exe Token: SeDebugPrivilege 4592 taskmgr.exe Token: SeSystemProfilePrivilege 4592 taskmgr.exe Token: SeCreateGlobalPrivilege 4592 taskmgr.exe Token: 33 4592 taskmgr.exe Token: SeIncBasePriorityPrivilege 4592 taskmgr.exe Token: SeDebugPrivilege 4256 taskmgr.exe Token: SeSystemProfilePrivilege 4256 taskmgr.exe Token: SeCreateGlobalPrivilege 4256 taskmgr.exe Token: 33 4256 taskmgr.exe Token: SeIncBasePriorityPrivilege 4256 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zFM.exe7zFM.exe7zG.exetaskmgr.exepid Process 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 2500 7zFM.exe 2500 7zFM.exe 4808 7zFM.exe 2416 7zG.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exetaskmgr.exepid Process 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 1124 msedge.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4256 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1124 wrote to memory of 5096 1124 msedge.exe 57 PID 1124 wrote to memory of 5096 1124 msedge.exe 57 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 4160 1124 msedge.exe 93 PID 1124 wrote to memory of 1892 1124 msedge.exe 91 PID 1124 wrote to memory of 1892 1124 msedge.exe 91 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92 PID 1124 wrote to memory of 3784 1124 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shorten.world/Qda4K1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d7846f8,0x7ffd9d784708,0x7ffd9d7847182⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:4980
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Setup.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16426151728055538619,16854066390357095709,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3304
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4480
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Setup.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -ad -an -ai#7zMap19806:72:7zEvent98721⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2416
-
C:\Users\Admin\Downloads\Setup\Setup\Setup.exe"C:\Users\Admin\Downloads\Setup\Setup\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4168 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"2⤵PID:2376
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4592
-
C:\Users\Admin\Downloads\Setup\Setup\Setup.exe"C:\Users\Admin\Downloads\Setup\Setup\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3848 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"2⤵PID:4472
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8c46d374h5128h4937h8093hc355b2346fdf1⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd9d7846f8,0x7ffd9d784708,0x7ffd9d7847182⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,16311619357239854838,4374322960190044576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,16311619357239854838,4374322960190044576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:3576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
257B
MD58a1f6aaca0c7cd27e56df23fa976329b
SHA10fe9f0b8465e703bc4295ba57c87612f0e02f887
SHA256b17dbf6b2aa09a7c7e18d7caa8a94b6aaaa32808ba1cce16d6a9c782b5f4f716
SHA512fa771e644cdaad410acdc0535370096fe85362d2504b507f60d42ad0656517ef496d443f38d7b4459638df04b13a5b29451c8b329a93be2bc923edfb3d9938c9
-
Filesize
6KB
MD52e6b47d9ccc6fa935813107b3eeabea6
SHA1baca58491f6ae7bfaea059ad54c7867114157fdc
SHA25638177618c2bacda02565c4a72b033bd158036d338f99087c23499ee74192f62b
SHA512ef1cdf092c629136b1bb2f02f5567718ff6d75e1ecec0d2c660bae94fa064140ef7cde6d5c4d485dcccd8a582bf0a4ab32d72913d90d117a07f46ed33591da06
-
Filesize
6KB
MD58878bfbee05ec6a58764d56264dc864c
SHA15598b67d76efb7d87c5bcab467fa2ef03cc1a1ef
SHA256a0822e727ea28f4ed5b60135678f4135b12aeb4e0b034040c09b473a69466d5b
SHA5122e03f99901e33458259497293208a904c588a530a3d0d2972d7cc46c1f3fb07ad4980ed3f9cb33d06ab0b158ef1802abc51295ed9444495f0f9b190d8b4d8e2a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD523ba711b07d396d918729095235b36ce
SHA1f15f3dcc7bd93174267d63b1c1d143f3db5c7aae
SHA2563d86295ac53fbddc211e97413101884f4d4b823047fb6c9728e1073928011023
SHA512163c9e3d718307ffaedc45a538ee8dd67ccf4138235ea359006f5fbdbc8ec64582bd0ec36c400b99e7518dc4dbbd7c1e5905404c4fc858c895e39be4f33eb0b3
-
Filesize
12KB
MD5c1082646b01661637f0fbc2d00ecb1db
SHA1663079fbc99e25a4a1924ca9b9955bc469ae56dc
SHA256dac22570f79aee7a32b9a7b5991be3ec0c819d824443a7e2b17c09aee0fa46bf
SHA5129545bae242ea1b0139746ef702dd840f3d063f838a1dd1768116112fe38a7828c28974b821d82595463f07e9adcab803900c5da7a4788824d61195200378d7c5
-
Filesize
11KB
MD50ca60f8c97e2d104a1f1281b22fedf37
SHA1cb672cb258b7429ed82dda2c3f05e0c5cd75ba44
SHA2569829e608b818b91813d77c91b24ce72c619b4091e5eb792758122111d1ad68ea
SHA512e89720500314924721ec97ba8b5232d987ea343df9c62f03137ea17ede891328539c0151c962fce633a1d5aca1fab21aae53bcf0c13c0538643cc92af2a7958c
-
Filesize
12KB
MD53d47b15998f10b8fd113b7079e351702
SHA1e950c76c56cbf41d0268136cc967326c35ad2a2e
SHA256d81735e43fe5b86901032b1d35ace69f44b3d224b972e01250e795139cee6e14
SHA51293a93b85dba4095c826a357e38e012e48eb9639a1bae7887c59ccd539d0c18d2725e3016ff234547266dec71e43d65d46e13ed9446011ab802cb716bdb44185f
-
Filesize
3.8MB
MD5ee6365ac77db4cf9f9709196c147e470
SHA12ef880fedfc81eb2169f3b8bfe9cbdce2eae6384
SHA256523386bc7f1312f9542c55790fa4ca7e4421760fa5e993e3be4091117ec71510
SHA5126797b3c8289d473136db5ec27b60f9a81b3b39754d5a4a1a5de249926431403f1bda2bb36553375b041af8be88a33d6f61b52737967639eeff991ec7ccf72ca8
-
Filesize
3.3MB
MD52db05ff7f2567f56a96818abe1e93404
SHA1aa4180760834bdfd81610efa92a19bfda2d26736
SHA256ca1740fe705be7202345394844ecf37af3f904bea7b95a936b08e61742a8ba77
SHA5124686afba484d5731db9f4cdd2314d016031c48cab142990135e36ba01d35aa8883d3e094b2aa1d28948228253e4ca2a78af1e2d29e1eb7f524b243af8c926bd0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e