Analysis
-
max time kernel
290s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23-03-2024 06:50
General
-
Target
https://github.com/Pyran1/MalwareDatabase/blob/master/KeyLogger/CheetahKeyLogger/094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.zip
Malware Config
Extracted
Protocol: smtp- Host:
mail.tshwanemuslimschool.co.za - Port:
587 - Username:
[email protected] - Password:
Mia@1805
Signatures
-
Cheetah Keylogger
Cheetah is a keylogger and info stealer first seen in March 2020.
-
Cheetah Keylogger payload 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Pyran1/MalwareDatabase/blob/master/KeyLogger/CheetahKeyLogger/094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85b2046f8,0x7ff85b204708,0x7ff85b2047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,8171279046715996346,17107776867314048179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\" -ad -an -ai#7zMap22113:190:7zEvent188171⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"C:\Users\Admin\Downloads\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MEMZ-4.0\" -ad -an -ai#7zMap3203:78:7zEvent214111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /watchdog2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /watchdog2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /watchdog2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /watchdog2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /watchdog2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe" /main2⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85b2046f8,0x7ff85b204708,0x7ff85b2047184⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85b2046f8,0x7ff85b204708,0x7ff85b2047184⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85b2046f8,0x7ff85b204708,0x7ff85b2047184⤵
-
-
-
-
C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ-4.0\MEMZ.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e57a6e70b8ae6940ed761121e5f86bad
SHA1aa080336f2f6fd47ba55b7d9b5ff21ec27c665a2
SHA2563f9e9790ecc228887f345c8cc495b550487c345c2ddb63aa8d81f45d02741f44
SHA51216dc9d8b849f4a330e81fc8dfbfdc29823fb9fee7983bd9de7b936d14ccf94561b6697d67c237fc11d9720ad212b7c3b34b37921eb50fe315ee1b9678f058d9b
-
Filesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
Filesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
Filesize
197KB
MD55e28e72b443ded036a4cf369d0dda3bf
SHA10500de4480a54243b12d096745c6ba04c9479e66
SHA25615fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e
SHA5127d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b
-
Filesize
1KB
MD5794580a6a4bafd0de391d7820ad1f8f1
SHA131affabe4b85c292d40ed01f668e7233bc4d5d03
SHA2566a96c6d957741e883b92cf9425aa62a8331986d29d42015f9f024cf4edbeeb98
SHA5127be4b243ff1b3fb58ca95d0a37390dd50d153895a98c6f65bb04fa35604eac8d977e3631ad8ad987fd489aa3408c18c1a9c725defc907fd9d4723e55d3a29f78
-
Filesize
1KB
MD56322cc1ae3184b737db535c362d7cce7
SHA18f4fd194cb90068a8c1245ee5cd947d1a3bcf0e7
SHA256edf95d6a36d5b8b06ade3087f6f16bb040c74fd2b0aca25e4dbabd48a00c9dc7
SHA512691c922d2d6976c9561ec5c16cd9dd4165dfa1a5a160a06a450fd02096911bfe2ea5e722401082794cdd92a38231c996fa17538259bc5e524fded5ed0f29aa67
-
Filesize
1KB
MD56fa9a472db66734f623a4d8277081d59
SHA1bd168e0ffdacec556bef8cac204b41592e0e5196
SHA256597afaf8796904d8788fdc54aa2d558d332ea9e8f782cf90e768ad0bd3a4d377
SHA51210c0e6bd78b351110d80286b7b27a87ec787261bda6569a5053d4f4cf3e748c37c552b40ef401cdc6aabaa26c108911fac7b3cbe987bbe8c33de3edf33e92a45
-
Filesize
579B
MD50a8a7c3dafeb4ad3d8cb846fc95b8f1c
SHA169e2b994e6882e1e783410dae53181984050fa13
SHA256a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90
SHA5122e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c
-
Filesize
1KB
MD5f19578b3489c7e32f77867e904f115f5
SHA1757051033b7b95ce29ac845b4cb14a0c241e8487
SHA256585faa88dbdf5cebe29b88eb9be96a9f782aec53c99223ca4e77671d9aabd9ec
SHA51285cf7296cf9047f7188fead0d5077da5cedc6593ccb18479089030ba3616d7e426c69f7a53941d56cd1662cd5da064df34fa4a37528ffc6a1bcf00968c82e30f
-
Filesize
7KB
MD5502ff1f5a79b56c1efcf0c8586822091
SHA1e2f5d4cd502b6908011649e52b08598244f4a283
SHA2560c069b1d05b6fe0dfd248783f4416622a8efc926f5938b038905834afdc8b3d8
SHA512f68867e69c4e3fc216b1e1f2a7feced86edbdf51deb90eb5ced7a6f9565062ef4d7ea487b99d6a35f47d1089cc4ee4f6b31ed3f6def19483991a02817036fa3f
-
Filesize
7KB
MD5cf556f15c7322cf519b65546648e528a
SHA1795f8126b757e689ef5074e56cdc9daf7addaa38
SHA2565f9970d3a2be22e7ea0d0ab4561257ef747c85c7a4dd43b15c4bb69332059902
SHA512b8bb24fd19dfb15650285c7eb2030227630f761ebcb87344be77485489c818d223bb03935174f2461a213c43cfc202afebdf67cd56af349d8ba528157127dc11
-
Filesize
6KB
MD5cf905365eed6fc9f768dcc56aff589e7
SHA145be5839af9e760ec2bece2cd4d19421e9bb1f4a
SHA256151b44b2c900b08445907e2d489dd463baeadf669031f49d7add2a79bec8e43f
SHA51271bc7bef4b786dbf05be38aaf9e5279be8aa78e7a03a25f70047931593e2817106bf99052c8534d407b46ca55519309d37529e91ae3ec0216dfdf6a7456660db
-
Filesize
7KB
MD575f989dfaf84bd185aa074066c52be16
SHA16e9fc13c8f7ecaf8c9c2722b2b8ca4bc5825ca8d
SHA2567089312ab14b7bacb6af00965b816ba102fdbc557d92ada8243757df678ba13b
SHA512cb95b5acc73708624ab5324883219837e95fff98556ceef18690b0ba4e343e015ed807ccb7286238fb3451bb9127edaff83c864c1da8b4d90621a4708a2e1aa5
-
Filesize
6KB
MD55bfa60a4e3defb29a716f4029b3e1132
SHA18c208607fb5e76a0adab0ea6f40bf71a0a368ca4
SHA25677b7242ad4a13de3020a8d08daaee2b3116f687739dfa87f8b0cb2f6af45d705
SHA5122e99d1faa9b4e11e0d4d6209b8089b2f2f68cff332afd635e614bf5601d3ffedeb0c5cc21bda17f10042e6245a8522936f62364564518230dae708a98585e597
-
Filesize
6KB
MD5cd20957c2b88c7394af6109143bc6c6e
SHA11ca060dda5385772036bb7ecf437075e52fbd1b7
SHA256de779e13bf18c412dea8cc491b2e6d1f234b87ac97d4bcb037084192aba585f2
SHA512b62eda4ecaa6e9cc61bb83a334a40af31519303497ea010c12e0b88c021cc26d61de17e671da13aa5f05a4b13c703bf304b3a765400bfcfe4ed591e700d96f6e
-
Filesize
6KB
MD5bcf317ed50b09ff7733577aa97dcfda5
SHA194c9f8ae3cb3e5b55da7f1e5e18f3a32335e896c
SHA256f96772f91865be8da4031da128ef46082e3c3e8ee57fa7a6d394e8b62e781586
SHA51272b9a7322671db375020fca677b0096a6299049876774e9479ee2f6bfbeaa3f9039bfc608d67237daa508d06c24e98fa5455de252799eda1b9dd6344b4ac9198
-
Filesize
6KB
MD5c1b6f65fb31b7c60208f9fbbb5816b01
SHA13c526ea26e5714c084af63d045ccd3927cd899e5
SHA256f7227c8e17ce09802b6dde50d05d5412c35e609c4edde026ca20d99c31be9eb0
SHA512419a9ff8b07104525925d976caeabb20454edb27534b239663fd827581961c41aa68c3fe6f0033ac016ae7dde98674a2c1d7b87298295e410be6998f7f0f76a5
-
Filesize
1KB
MD56326cb05f4bb5733981212866d4e0669
SHA120b04a8adb75f2e6d67ae8fd4bac1015c5401bdc
SHA2562285749a3148a0d7dac091703615f4d52219adc970948625c5b02063d0064c97
SHA51297f947743a5d5e013257acc72267ef6c0db56157a38fb45779ddcd9e758d36451e976ab40a3181bb92bf1ecbe52b01d52360ede3f943f01b648e4ff598943058
-
Filesize
1KB
MD59634824e2b53d010a5e9cf12554399b3
SHA1acef5279a25110e9dc610c583a30fb51633672af
SHA256516420890796f82d4fd082079fd14e98ed74ea09546746c839f0c01b1b427068
SHA512f445904ffaa815216c998e0393ed1bfe2d7995ccd6778f3f1e2e51f5c8f1477de10bddcf25ad6fc1e95750462ca231d9e02ebf99417edb5bbdb3dc3904d428ce
-
Filesize
1KB
MD5fb52c05343be54b291b1c41f3c4899d7
SHA163855bd18dad2f748d8895b79197af90791ccbe2
SHA2560d8133dd89add7a767419e30217dbd26fc28ea54d884f74caa38a1e1fe5322e4
SHA512f0a768e653fc053291758979fd34074a36eeb649a04dfb76f0c04b0ac591ee29c9f50a7198391ed2fa99451b58665de9669278b0821f9e7a8e3fca9e1b138209
-
Filesize
1KB
MD57a9ca9d3f57b53ce092c103e8abac6b1
SHA11df1da6fbb2c6e608a1aaf80e53fc11ccff373c9
SHA2565051eb19a5834ce95a80b4ba64503a1546a47b808182068d97d3b3a006ed3480
SHA512f3dffa0a54f03cb7747c106e4f4568a15edbb517b384e33ea120c07ec2d80906ebf974008bd218aa79ddba572e7c0c877009de4e245199397b471e13ed5ef9a0
-
Filesize
1KB
MD5b7c3e763b1b01657b2780529d7eb8f01
SHA13c5d31a1f9b5d6630494a3c56fa7e16247f26525
SHA25660f91f697fb026249580339504b992a9186022f3cd2889155bf3f95e11aaaa3e
SHA512fd4d0c1a2894c81c63206ffe92489459c7ceef80f1d3289b62f26fd1854459928b04b2bf612d172cb18fcdbd3e392ee026c98c9621b3cc8cf4b18c4cec7945d2
-
Filesize
1KB
MD52106abb955e9b3d36bd526a21b2e1521
SHA106ba737987ad9156d537a8b7fbc0d668c7e1a30c
SHA2567851d47b371a5d15ab94b8ea21fcfb77e6740b6a51be98b653172aa033a3e5e2
SHA5121435fdc1741d874c501c490188a6d74eb5b6cde35a5d546954187de24425247527e1fb6be880949d249f8f6153f382aaef59900afe9b26acdda377f4654e4b20
-
Filesize
1KB
MD560c8ec2b78e75a8a5a142de1fa13109e
SHA1db016d545a9454fb73a4133cc3cc2f44b5ab023a
SHA256d6ce1686aa8314d569e6b9f9fe3444f4a54a2b17c8662eea78a9916166bf6f3b
SHA51241eb70e6521a2c06d8df59fe3f2b376f17fd8bcb4b9e375971f7baa7919934345251022f80485305a5b4750f5f8b18b1632d6a3465f639b46b81eff71295dc62
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5c2118f8f3f593e0df833636bb7634939
SHA161fdc556d67fde573eb925d83fca7d4baac89e15
SHA25643691ad9894199a7d6e2de5f294f1a4c42c9dc02b8e8d2ad1a9a772754c21f35
SHA5123b57e98ed1a5f80c0a620e473fea009eb07495c02707d1668d7be3f7710ac0ace6ec1d058c23b6e79e9c6c3794dd5567bd0eb44258ba4ac5db66981c8bc15cde
-
Filesize
12KB
MD5e8bc641ee3883992bde8b3f33df1bb0b
SHA1201d238a1267aa5862ba150c63a63e058f247838
SHA256469a1ec220fd3e78175db64d502d3767cf13d7fcc634c5a81e911c44c33b40fe
SHA512075930d7d4202e36b060963ba52f8e646ffa8b8d29ae0a87ce78e5946908ae7feb7f51936adb821388c9a8e1a2d141e06dba178e6f6b705c668e77e7d2459e43
-
Filesize
12KB
MD570f183eae60fed289fdbd7c8cef094fc
SHA174c7bf04ad21b40e5145c91e519758fab90a9ece
SHA2561b8f8e462b2f8e464eb6b2719f24c533aa9e8df22b7a602efe4f4d9c570c9b78
SHA51237dec485a3e00bdd23b7f99efeb69db720a4bfa782b17cbe0b07038f0b2a1ed5451ff889446da276dae0b64fd8856afd8e5bc95c79f31037e6580cbb2bea60e1
-
Filesize
12KB
MD5afc28c6b01a6d16dd41055d1b512a94f
SHA11f5de41fbfe463d04e4c98a1ab4e152c9ff2c1c8
SHA256d92707ba9e850f8e2b224315c67fe20ac9901bfbc696b71e855888013af5da4e
SHA512f4b6e0794c00d3e00923d5bff48719328df59f6b7a87ad825045f3f49b4d978c53510348da427cb3bc1c8fda89e0d9de2b43a3d3f4d2d92e9f7e0844aa180733
-
Filesize
12KB
MD5dc197ab57899da4a77a2e551169fd317
SHA1dae0cf895b78653f9055310edbfd972daa549935
SHA256a515e15e3afa7c73c45ff3d6f79d7331ee66e57600002f44792ec622841f7122
SHA512308e196973617b2c0d96d93d96b83671eed44ef05ddfe6b4d89e47ac3e56d84ad53428f1723402bc2814dffc1ec6c4df79f7db5de4f431e0e694b5d34a575f26
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
190KB
MD5de3b772a12f282ffcf6699e936967f39
SHA1be890d873392db3ce002559e7c6d3f8a407209c5
SHA25646674805e2b7ca3aa146bc386827842d763d43e35a832518f1b1c422e1750fca
SHA51234474d49d738232ba4aa165e7cb6a7aea4cd0d98a7c6213080f0c9f935c6c9f422b86f1aa6c4a5bc52942f673b86696f09fe47db992a3c7d47bf16c6f23bb65b
-
Filesize
333KB
MD5ae7312cc7678c08eb133f384eb1a5a47
SHA12039eab4bf1c35d168472fc60cec42060ad2c36a
SHA256094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a
SHA5127ed8d6d56da079b1af2d0d76d39e8b6ffce3115664b13e869f117c99346e2bd95cc450ab0c47a8575a4642bb5c254db9f33a37991ba005ea034e34b89f593424
-
Filesize
8KB
MD56d1c6d848c80c62c8886f3f4a05d9e16
SHA1cd815164b65537f8134b389ea8698591b5f92043
SHA256d6eb28f01b2d59777c30d37b851c095ce73c7fca0523805b7c1e6ad687d41d89
SHA51239dcfd16526e4a9f395a151a277deccee62f46a4e0380adebaa3556e7e6b73ee6a197b32db1b70ec0c1dc6e766e82115e8bce088ce3ba48ca0e9d790b4b20eb2
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
360KB
-
Filesize
80KB
-
Filesize
5.6MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB