Overview
overview
10Static
static
34728b5eb67...31.exe
windows7-x64
74728b5eb67...31.exe
windows10-2004-x64
10$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Epsilon.exe
windows7-x64
10Epsilon.exe
windows10-2004-x64
10LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...dex.js
windows7-x64
1resources/...dex.js
windows10-2004-x64
1resources/....2.bat
windows7-x64
7resources/....2.bat
windows10-2004-x64
7resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3Analysis
-
max time kernel
163s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
4728b5eb6799fbe8850e03e7f7c73ceb7e530010b6179e157a016a6519cd1a31.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4728b5eb6799fbe8850e03e7f7c73ceb7e530010b6179e157a016a6519cd1a31.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Epsilon.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Epsilon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/index.js
Resource
win7-20240215-en
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/index.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/screenCapture_1.3.2.bat
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/screenCapture_1.3.2.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240215-en
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
swiftshader/libEGL.dll
Resource
win7-20240220-en
Behavioral task
behavioral25
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
General
-
Target
Epsilon.exe
-
Size
134.3MB
-
MD5
128d442c123dbbeefecbffea681b591b
-
SHA1
88eaf983ab17105eab1e399794f84f50f0ce6d43
-
SHA256
a12809190b023bc9ea27d62ef20c705ecdfc59e93c081ee5af996c5b484c325b
-
SHA512
779f1b557de61fbf9dad1fe04149c18c26a1cabf8beb2c57c2dd57a1a4be3a88187ffbef8657bcd948a0a6d40ea0f09c3381b290fd597210f039b854dec41eb1
-
SSDEEP
1572864:XicLgaO9p7sMMcmhRhgBx/CyhwGKsME1:khTRsJE1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Epsilon.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Epsilon.exe -
Loads dropped DLL 2 IoCs
Processes:
Epsilon.exepid Process 2656 Epsilon.exe 2656 Epsilon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsBootManager = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsBootManager.exe" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io 18 ipinfo.io -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 3224 tasklist.exe 3876 tasklist.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2592 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Epsilon.exeEpsilon.exepid Process 2480 Epsilon.exe 2480 Epsilon.exe 2480 Epsilon.exe 2528 Epsilon.exe 2528 Epsilon.exe 2528 Epsilon.exe 2528 Epsilon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exetaskkill.exetasklist.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4284 WMIC.exe Token: SeSecurityPrivilege 4284 WMIC.exe Token: SeTakeOwnershipPrivilege 4284 WMIC.exe Token: SeLoadDriverPrivilege 4284 WMIC.exe Token: SeSystemProfilePrivilege 4284 WMIC.exe Token: SeSystemtimePrivilege 4284 WMIC.exe Token: SeProfSingleProcessPrivilege 4284 WMIC.exe Token: SeIncBasePriorityPrivilege 4284 WMIC.exe Token: SeCreatePagefilePrivilege 4284 WMIC.exe Token: SeBackupPrivilege 4284 WMIC.exe Token: SeRestorePrivilege 4284 WMIC.exe Token: SeShutdownPrivilege 4284 WMIC.exe Token: SeDebugPrivilege 4284 WMIC.exe Token: SeSystemEnvironmentPrivilege 4284 WMIC.exe Token: SeRemoteShutdownPrivilege 4284 WMIC.exe Token: SeUndockPrivilege 4284 WMIC.exe Token: SeManageVolumePrivilege 4284 WMIC.exe Token: 33 4284 WMIC.exe Token: 34 4284 WMIC.exe Token: 35 4284 WMIC.exe Token: 36 4284 WMIC.exe Token: SeIncreaseQuotaPrivilege 4284 WMIC.exe Token: SeSecurityPrivilege 4284 WMIC.exe Token: SeTakeOwnershipPrivilege 4284 WMIC.exe Token: SeLoadDriverPrivilege 4284 WMIC.exe Token: SeSystemProfilePrivilege 4284 WMIC.exe Token: SeSystemtimePrivilege 4284 WMIC.exe Token: SeProfSingleProcessPrivilege 4284 WMIC.exe Token: SeIncBasePriorityPrivilege 4284 WMIC.exe Token: SeCreatePagefilePrivilege 4284 WMIC.exe Token: SeBackupPrivilege 4284 WMIC.exe Token: SeRestorePrivilege 4284 WMIC.exe Token: SeShutdownPrivilege 4284 WMIC.exe Token: SeDebugPrivilege 4284 WMIC.exe Token: SeSystemEnvironmentPrivilege 4284 WMIC.exe Token: SeRemoteShutdownPrivilege 4284 WMIC.exe Token: SeUndockPrivilege 4284 WMIC.exe Token: SeManageVolumePrivilege 4284 WMIC.exe Token: 33 4284 WMIC.exe Token: 34 4284 WMIC.exe Token: 35 4284 WMIC.exe Token: 36 4284 WMIC.exe Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 3224 tasklist.exe Token: SeIncreaseQuotaPrivilege 3840 WMIC.exe Token: SeSecurityPrivilege 3840 WMIC.exe Token: SeTakeOwnershipPrivilege 3840 WMIC.exe Token: SeLoadDriverPrivilege 3840 WMIC.exe Token: SeSystemProfilePrivilege 3840 WMIC.exe Token: SeSystemtimePrivilege 3840 WMIC.exe Token: SeProfSingleProcessPrivilege 3840 WMIC.exe Token: SeIncBasePriorityPrivilege 3840 WMIC.exe Token: SeCreatePagefilePrivilege 3840 WMIC.exe Token: SeBackupPrivilege 3840 WMIC.exe Token: SeRestorePrivilege 3840 WMIC.exe Token: SeShutdownPrivilege 3840 WMIC.exe Token: SeDebugPrivilege 3840 WMIC.exe Token: SeSystemEnvironmentPrivilege 3840 WMIC.exe Token: SeRemoteShutdownPrivilege 3840 WMIC.exe Token: SeUndockPrivilege 3840 WMIC.exe Token: SeManageVolumePrivilege 3840 WMIC.exe Token: 33 3840 WMIC.exe Token: 34 3840 WMIC.exe Token: 35 3840 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Epsilon.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2656 wrote to memory of 3980 2656 Epsilon.exe 95 PID 2656 wrote to memory of 3980 2656 Epsilon.exe 95 PID 3980 wrote to memory of 4284 3980 cmd.exe 97 PID 3980 wrote to memory of 4284 3980 cmd.exe 97 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 1036 2656 Epsilon.exe 98 PID 2656 wrote to memory of 2480 2656 Epsilon.exe 99 PID 2656 wrote to memory of 2480 2656 Epsilon.exe 99 PID 2656 wrote to memory of 3044 2656 Epsilon.exe 105 PID 2656 wrote to memory of 3044 2656 Epsilon.exe 105 PID 3044 wrote to memory of 2592 3044 cmd.exe 107 PID 3044 wrote to memory of 2592 3044 cmd.exe 107 PID 2656 wrote to memory of 4584 2656 Epsilon.exe 108 PID 2656 wrote to memory of 4584 2656 Epsilon.exe 108 PID 2656 wrote to memory of 3548 2656 Epsilon.exe 110 PID 2656 wrote to memory of 3548 2656 Epsilon.exe 110 PID 2656 wrote to memory of 1072 2656 Epsilon.exe 111 PID 2656 wrote to memory of 1072 2656 Epsilon.exe 111 PID 4584 wrote to memory of 368 4584 cmd.exe 114 PID 4584 wrote to memory of 368 4584 cmd.exe 114 PID 3548 wrote to memory of 4620 3548 cmd.exe 115 PID 3548 wrote to memory of 4620 3548 cmd.exe 115 PID 1072 wrote to memory of 3224 1072 cmd.exe 116 PID 1072 wrote to memory of 3224 1072 cmd.exe 116 PID 2656 wrote to memory of 3692 2656 Epsilon.exe 118 PID 2656 wrote to memory of 3692 2656 Epsilon.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"2⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\System32\Wbem\WMIC.exewmic CsProduct Get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 /prefetch:22⤵PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"2⤵PID:3692
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3544
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"2⤵PID:4636
-
C:\Windows\system32\cmd.execmd /c chcp 650013⤵PID:3372
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:1256
-
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"2⤵PID:4928
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f3⤵
- Adds Run key to start application
PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3052
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3876
-
-
-
C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADoAAAIAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2688 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c639773c96bd5fbdaf6f1a6333662bb4
SHA10f5fecc2a6c750ddb730f382310e9e64ab8f202c
SHA256c09f6c2894a46f149688601cb67624afdd122a0c494fa926fa0f83c75785ea35
SHA5129bbe978078db99c917a315cf001a0713858007d2fc0632c73b30b490c89ceaa70578bcc38c6a59845e97c643c708587910ce27b687c96d298f5bf007d4c70802
-
Filesize
240B
MD5810ae82f863a5ffae14d3b3944252a4e
SHA15393e27113753191436b14f0cafa8acabcfe6b2a
SHA256453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c
SHA5122421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112
-
Filesize
231B
MD5dec2be4f1ec3592cea668aa279e7cc9b
SHA1327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA51281728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66
-
Filesize
652KB
MD57f9b96ba7cbbb0c88d2005ccb669b54c
SHA1c3aea9f1075493deb74c1a05f73f609a8086a8d9
SHA2568c60efec7940e69a083350640ec5f42d43d8b979711080f1aef3bda825a9928b
SHA512306aa838d928fc98b0d7429d984cf32d4814d9312445f4745bcf7f920d63223f8e1965bb36f7bf6518228f4541c5c5aa74fc28aa358055f1f893b0edd7216d82