Analysis
-
max time kernel
295s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 16:53
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
FreeMic
authority-amazon.gl.at.ply.gg:41414
4xFΕ开mΑ6XrHW艾ת尺tת尺ץ
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023359-224.dat family_asyncrat behavioral1/memory/3304-237-0x000001E1C2E30000-0x000001E1C2E40000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Binder V2.1.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Binder.exe -
Executes dropped EXE 4 IoCs
pid Process 5168 Binder V2.1.exe 3304 XBinder v2.exe 6084 Binder.exe 5732 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5192 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2628 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4320 msedge.exe 4320 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 4232 identity_helper.exe 4232 identity_helper.exe 3084 msedge.exe 3084 msedge.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 6084 Binder.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe 2980 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3304 XBinder v2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 6124 7zG.exe Token: 35 6124 7zG.exe Token: SeSecurityPrivilege 6124 7zG.exe Token: SeSecurityPrivilege 6124 7zG.exe Token: SeDebugPrivilege 6084 Binder.exe Token: SeDebugPrivilege 6084 Binder.exe Token: SeDebugPrivilege 5732 svchost.exe Token: SeDebugPrivilege 5732 svchost.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 6124 7zG.exe 3304 XBinder v2.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 3544 3372 msedge.exe 87 PID 3372 wrote to memory of 3544 3372 msedge.exe 87 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 2700 3372 msedge.exe 88 PID 3372 wrote to memory of 4320 3372 msedge.exe 89 PID 3372 wrote to memory of 4320 3372 msedge.exe 89 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 PID 3372 wrote to memory of 4996 3372 msedge.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/16381763/Binder_V2.1.rar.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbce1d46f8,0x7ffbce1d4708,0x7ffbce1d47182⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:12⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6640 /prefetch:82⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:12⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15149642263261407154,3874661090948213680,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4112
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21285:84:7zEvent292361⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6124
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5788
-
C:\Users\Admin\Downloads\Binder V2.1\Binder V2.1.exe"C:\Users\Admin\Downloads\Binder V2.1\Binder V2.1.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe"C:\Users\Admin\AppData\Local\Temp\XBinder v2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3304
-
-
C:\Users\Admin\AppData\Local\Temp\Binder.exe"C:\Users\Admin\AppData\Local\Temp\Binder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit3⤵PID:6080
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'4⤵
- Creates scheduled task(s)
PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E2F.tmp.bat""3⤵PID:5328
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2628
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55327005-e174-45d5-a1cc-e9b27ba56dcd.tmp
Filesize9KB
MD52124f268e0fb85304370936190a402be
SHA1c6c33f6e22894866df31bfc269f15250d0a4231c
SHA2564e7be3da7210a711382bb6caed909aafec61e26741f6ed96ca4e806820184a00
SHA5127558fb626e2d8282c9b5c67855fc353fd943ee96fd39acb2610ed706c915653f7ba571ec4d3b90af14916933a76b41d5ab432bbf57a37716371252d6f5aae205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD517db3fae2ac692d7c0d2caddca95b405
SHA134a2ae77aaf74de60d2d49c6d54c7312c020c040
SHA256ed743f7cde8e7f0f3421d527c21725992035b49d3520c82ac8803323bfbcce9b
SHA512e35d019ee0b1b175393a55fc4c0528c12af62e20ff9c8e665d4275cd383fd63f7e73d3e5bf23eb371e53de5b7e55dcfd6412c7b8d5fdb4cc26dea1b503a0897f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5ea2f6aceaa5d7747f208564bd6a29482
SHA165182783599850bf0c6c9a169e33d21071d72f65
SHA25622c22ea72eb2ebfb3ef1aad3c1ee41c5ea6af861735d465ee7ef1e1636df3c64
SHA512720c4bf2bd35dcb9538db86ad247db7c44b878974d6607fd922ce34eb6966b877e67713035ece3ff59e390be9938ddf15272465b9e510f210eb073ae44e248a7
-
Filesize
3KB
MD5db5d90d08735a4e73843f77df89b6b0d
SHA1e2208bcdabf712cb1c2a2600e490069072e8dd07
SHA256843ffb165b75afdd46c6b7b59ce4737c1cde2fce511d39395de1defd91c548c6
SHA51241581b611d18c4dd9053cdeb7c7eda3cb3b4894caeccd57f3d85b5180c9c3301eaa68b393ab4c4063896e1cf3adb0840fd2152fb1b22cdf790f59b6996949514
-
Filesize
3KB
MD51edaba28d4bcf9e43220ea3fe4b19a49
SHA179e5b7ded6fbcaf4edc15aa3d27d554ca7925201
SHA2564688072cb171a79f564b0c836f85b7044a7fafbe3aac7a46e6b5e00e79d55292
SHA512598dcfb99885541a314805ceea2e804bd317a9ae18820b38a2d4bc62475de2a968aac21f3da256558e76a3b627401c56f13df6aa6aabe08c204c4433196a5c34
-
Filesize
6KB
MD57e4e0126a9b21d1634b09099d01e23ee
SHA1018d5384edcc0bb98f24bf0c08a2e12e2ab07083
SHA25672421e20cebab072dd754fbd823f76a17a0bfebd42badd12acdd9277af860702
SHA512eb40048aad1e82c2eb95ec32c2374bcb5d5484fd784fcbf7f40087001266554c3ca2815589868ef37b1f0718aaf9cdef08b4b6c9af22a84e79ce7dca35d23e42
-
Filesize
9KB
MD51680168d299f9427cc193f8350565910
SHA107cbfed3a7d0031b9c029bef5810b44c2ceb5a3f
SHA256f73201c00d8b25bfaaf1e08929cde95274a3cb0a1778692c8bd0ecf208dc0b91
SHA512e639e92cce53266fd588f3f48c908b38af3422a6ee2a0639d0c451254dca5cdff774b513292e958276d65cb3fdb2e6d952c1a81929b62627232b8f62731eb7c8
-
Filesize
7KB
MD5d900d8a30ffcca437a7c9db6884fc743
SHA12e0dd91263b5efa61ff964bf85909e3820d326f8
SHA25639646d1fb349cd643934646cebe78400ecca89cded79966f2106e65478ccb5a6
SHA5124e19fb3a33c4af536c25ec65846cba8286e2cd6f5d136fabb26d3e2c3adfc0ee5fd772f3d74bedfdc91ed8eb0ddac0a04b4c533a013c3154dd7b4ef2bd4f760c
-
Filesize
1KB
MD5c363ab2f2f43ffbfa4b26ee94ffd17c5
SHA107cce6115ea0b3aa41b57aba02f79d77e2405876
SHA256519dd73ef58bfaebfd8457c9458ed65d4467bf2197b4a059293c74fa78411c08
SHA5129d1a97a6bc2e6df4f5c4f2e70c026301faba52e0d8df09b9a2a5a6c7905c2f271f120fd1fb04a61242af2a1af24ed01048d8df9346b54fe954362fefb3a8ab4b
-
Filesize
1KB
MD52e336d46a29ec9f94787dea54f150b46
SHA1d5e08de41ccd27b54adf5d4d4fd788a14c849e30
SHA256bfbb964f60a4cb33889a9e303165da9f43029981b5a5a6c3cb010e7e55715e83
SHA512e65bbf263fb02af2ac2c77c93ac2c1b1971ea5f57f99f257207f8c8be2de84963a3c866ecc27a5abe26a6c8fd7ef06eb6e8ffe0b3bdb66993def80a98584a499
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51674a41f8678f7d34e0b0ff4e31862e6
SHA19a145d63327d9fdd7ad9efd955cad5522ace30ed
SHA25602c6bf1a4ea63986da85b53b32915861986770355f4582e8048b6f15ecb45722
SHA5123e5c0fa3929b9e698c9402b60c420f73641cd634eb3d155ded18d7860e3c67b0638308bf4c2aab30a3672661774e26a8630e295d419e98d19edf9b8a60f2c4c1
-
Filesize
11KB
MD539f5bf2a1b6aaebd5a589df51d07e810
SHA1ae30668583fd7d2c6f81b8298e3e260c930265c9
SHA256b62c66b4827bb0a286f2e50d2c62ac41ee0b0d92ea118dd29141a3448fe1cc94
SHA512d75d0171ad9a49721856d0c43a1e0d0f676a3c49109cfdd00ff23ec2758e5cf904291f5e69548e100086ee8e9cbac199dc8caf5eea124f4ab54e5eb0b2b1b39f
-
Filesize
63KB
MD58b418bafe5b7f0f123ad9d70382c9afa
SHA139f99b482e3031999f7c61e6711ebd490556d539
SHA256318a15b162c7c3fef7534d4ccbe6670c6f625a1bac511d96216fb42547e164c9
SHA512ce14434d4d2525bf089cdb9292775dc29b13b9cffa2ef69bfcf710183c1b495b8fa3b30da3ae9878cd5fd6587881f4fca9f332d880bd977cf922dcc05c0f0c75
-
Filesize
3.5MB
MD5a98358eb7f4953aa6d60015ccd8506ce
SHA1d9be0c9d6d968c1baef11027a7ace6a0e869e75a
SHA25621e0cc9ef715cc2147b9ec481b3fb876dbae8a4491367b478513128d7f7b8555
SHA51262389e840c375a15d317d024d2e07b861b5b66447abb0423f603b73d2ec0853e3f947f78498a40dd835b48ca50562af9364c65c448a60172fa9011b6e564fac4
-
Filesize
151B
MD5c5f8709c9f61c4ffc193e4ff8a78e2d9
SHA17edddd75cf0be1b2b03f86967f1d0188e9d2ee2d
SHA256ba734d417dc1fc1236e167f4b20f8990a58aee4554bf6dda176a14b6a9cdc54d
SHA5127be70b521852a385a1f26b8d358253121d19bf44a78a2c4e62d04817c40f5df4e703dd3c2aba5324c5fc7a5244a11a87b4df4a24bbe37200b8ee68f3bf8a3b66
-
Filesize
700KB
MD591b436d009bbeae60393bfa563a25c0e
SHA179f1f818a4b0521aee9beafdf069b9d949efb968
SHA2568ed99b3ab5dd6a5ef7d7cc60e0f56df45e9092d976f9090fb88471717d995948
SHA51287b7b4539fc6eaf5633a3f9e6952a3c68ed6e32bc2deb30e63d3ead8f01302921090ae945b6480073b6eeceadfa4da48a5dc93c151a55c2c9d9051b22fa4717b
-
Filesize
594KB
MD5c83bad05c04e056550e9098a5d2cab0f
SHA137f7003b666e415a94818b915c6580a14edb4897
SHA2562fb5bae583ff50261b586be425cf6de7f8bdd508a2cc39f7f8cf6a722bbbb80d
SHA512a153a0b8c858cfea4c53b3c03b6667de11ac05b42d0b88ee814706121a4653fe22d29ba9caedb1eee2c7ab14be71e137f9b5954aa9be648b2dc78cf54eea85db