Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 15:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1238257842700681289/1238260617920512032/setup-file.rar?ex=663f4c51&is=663dfad1&hm=82f52e2da8bd34f43f582f66d3caf666e69775c6a19ce763f8768841a2e1952b&
Resource
win10v2004-20240508-en
General
-
Target
https://cdn.discordapp.com/attachments/1238257842700681289/1238260617920512032/setup-file.rar?ex=663f4c51&is=663dfad1&hm=82f52e2da8bd34f43f582f66d3caf666e69775c6a19ce763f8768841a2e1952b&
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3140 Setup.exe 4728 Setup.exe -
Loads dropped DLL 21 IoCs
pid Process 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe 4728 Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 54 pastebin.com 55 pastebin.com -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000700000002346b-145.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2072 msedge.exe 2072 msedge.exe 3076 msedge.exe 3076 msedge.exe 3048 identity_helper.exe 3048 identity_helper.exe 3720 msedge.exe 3720 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1512 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2716 7zG.exe Token: 35 2716 7zG.exe Token: SeSecurityPrivilege 2716 7zG.exe Token: SeSecurityPrivilege 2716 7zG.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 2716 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe 3076 msedge.exe -
Suspicious use of SetWindowsHookEx 62 IoCs
pid Process 2220 OpenWith.exe 2220 OpenWith.exe 2220 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3076 wrote to memory of 4204 3076 msedge.exe 82 PID 3076 wrote to memory of 4204 3076 msedge.exe 82 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2728 3076 msedge.exe 84 PID 3076 wrote to memory of 2072 3076 msedge.exe 85 PID 3076 wrote to memory of 2072 3076 msedge.exe 85 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86 PID 3076 wrote to memory of 3636 3076 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1238257842700681289/1238260617920512032/setup-file.rar?ex=663f4c51&is=663dfad1&hm=82f52e2da8bd34f43f582f66d3caf666e69775c6a19ce763f8768841a2e1952b&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb683946f8,0x7ffb68394708,0x7ffb683947182⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:82⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12464429682654951752,16161705459501276132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3396 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5008
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2220
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2600
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\setup-file.rar2⤵PID:2916
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\setup-file\" -ad -an -ai#7zMap7111:82:7zEvent280831⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2716
-
C:\Users\Admin\Downloads\setup-file\setup-file\Setup.exe"C:\Users\Admin\Downloads\setup-file\setup-file\Setup.exe"1⤵
- Executes dropped EXE
PID:3140 -
C:\Users\Admin\Downloads\setup-file\setup-file\Setup.exe"C:\Users\Admin\Downloads\setup-file\setup-file\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "about\error.txt"3⤵
- Checks computer location settings
- Modifies registry class
PID:1368 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\setup-file\setup-file\about\error.txt4⤵PID:4612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5f176f23f30f43f23c701284cec23071c
SHA16c2947b16772809ed473e036579342c4c2768437
SHA25600e135aca314f7ff59c776af649a1b51242f9c61cd8dd271f9d083a643ee4b7f
SHA512fa65085050ba325fbd3c006a6c467bce31fe9f1a65eba9d969be1707c12d4b45401fc321ff1a681318d9fb9ab0d73ca8a28f00981483ac9ec301b954198b85a6
-
Filesize
6KB
MD5012956e811cff11592ed0c2930d78865
SHA10214114c5f8a29f346fb9362ad08c5d83395aa80
SHA2568424ce99ef95c32c8bb7f28d7d9978bccac1939187e13b4dbc164c263a8ce1ba
SHA5122936b64f3712acbdd39a419f7430613bf511dff208e15da610bc3111b29cc483dd955ecfdd77a9d8323bac48e37d841494b94b80f6b7c5ed0fd88f04a3244dee
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD540bf79c88bb3815de689e4131d76c1b9
SHA173942857adf16540b94a24513a52adde28127692
SHA2565b5958c509b0f26e85ad3f6abe6efc061254753a584a249993bee5df674dd4f4
SHA51285837e641525d613e41f68863c0751a254c3161ee8f657ef5ab63d1016d7f04778a3b4d7d63c555f34b496bf96615fda7400553189b831a931ad60d3dc0c83ed
-
Filesize
12KB
MD5b9ece7c97d1018cf067dbe5faf559573
SHA134f3aa0e4bed98bda5776d121357076b77f4e03a
SHA25651d794b9f4af07280b783c9629c056338802a1a2113fe841c30e26acc5a769a0
SHA5125e5f1b21f535193f1281a063385f6d665c87902b7f351179d4bd8fdca8217f99c1d572d3f079e62c6557cfdbad92161c34b1fb11ba4aa4537a9771951853f9b7
-
Filesize
11KB
MD5273bea94a18906421d3f9f909f6a6b48
SHA165fdd904dd93859f134eb982b06e643842d62ced
SHA256a008e22735b9bd3aa59a1ea266bf817eb26b34f4116e3cbb0c7c31a8beae9ad7
SHA51275ff39698b1a912af07c0560579666c6a6cbb3eda9828b2c93e510167cb091a8d9faa1b7600445735f3b78c7c80bb454cee6b24216b4b2e38d97c3268ba266a1
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
81KB
MD5bbe89cf70b64f38c67b7bf23c0ea8a48
SHA144577016e9c7b463a79b966b67c3ecc868957470
SHA256775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA5123ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1
-
Filesize
242KB
MD56339fa92584252c3b24e4cce9d73ef50
SHA1dccda9b641125b16e56c5b1530f3d04e302325cd
SHA2564ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96
SHA512428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84
-
Filesize
60KB
MD5d856a545a960bf2dca1e2d9be32e5369
SHA167a15ecf763cdc2c2aa458a521db8a48d816d91e
SHA256cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3
SHA51234a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4
-
Filesize
153KB
MD50a94c9f3d7728cf96326db3ab3646d40
SHA18081df1dca4a8520604e134672c4be79eb202d14
SHA2560a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA5126f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087
-
Filesize
29KB
MD552d0a6009d3de40f4fa6ec61db98c45c
SHA15083a2aff5bcce07c80409646347c63d2a87bd25
SHA256007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75
SHA512cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824
-
Filesize
75KB
MD50f5e64e33f4d328ef11357635707d154
SHA18b6dcb4b9952b362f739a3f16ae96c44bea94a0e
SHA2568af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe
SHA5124be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643
-
Filesize
155KB
MD59ddb64354ef0b91c6999a4b244a0a011
SHA186a9dc5ea931638699eb6d8d03355ad7992d2fee
SHA256e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab
SHA5124c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca
-
Filesize
812KB
MD5fbd6be906ac7cd45f1d98f5cb05f8275
SHA15d563877a549f493da805b4d049641604a6a0408
SHA256ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA5121547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a
-
Filesize
268KB
MD559a15f9a93dcdaa5bfca246b84fa936a
SHA17f295ea74fc7ed0af0e92be08071fb0b76c8509e
SHA2562c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524
SHA512746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7
-
Filesize
10KB
MD50e2a2addd0d5b21193dbaae162604181
SHA1526b25822b2571307fe8d4208c83227c0c64cb10
SHA256ab0a8fd8f085766a2a7001380e6ee219d5ae68d0194498eeb8d3866f922fbcae
SHA5126e0f0fa11fff0853e4063f5e1a526936cd682303f94b13da0bd4fb6b2da5efdbb3acb378951508ee3a2dea7f7e2c1d6f968e00ae63d1b6063cc2ad932a3856e9
-
Filesize
114KB
MD5c6c87fc7bd7555026bb1738857066cff
SHA13c89dcbc228a7b689860545495f7a081721c5a12
SHA2561a6961fd249dbb3a9ccc903fe5ec4631616594edefb19db423fb488b3dba619a
SHA51263d5b76830d17f90c7d846c8481fac33d86cf1e606d4e33cbe5af868b41d35e7c8c95b93906258d1954809d13a46036fabad093a8693bd29121c020f743faeaa
-
Filesize
3.3MB
MD56f4b8eb45a965372156086201207c81f
SHA18278f9539463f0a45009287f0516098cb7a15406
SHA256976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA5122c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f
-
Filesize
686KB
MD58769adafca3a6fc6ef26f01fd31afa84
SHA138baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA2562aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
Filesize
28KB
MD5c119811a40667dca93dfe6faa418f47a
SHA1113e792b7dcec4366fc273e80b1fc404c309074c
SHA2568f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3
-
Filesize
39KB
MD5a4c988361c7f69e080de5eb1a6c3f5cd
SHA186d77b7a17c79a1db9c6790b23b0702b245ed94c
SHA25602d867d8f8120658255c6e5ec426010c149fe353795f79326fe5de3e849fc6c8
SHA512dc73a144dc007ed9b207e9ca02e3a8663e705f71e3873d5d883e7e3fecba3d6268b4fa59a1f88db023d4b98aaef6fc5677e7269fff0c2c0e4eab8f98e57b062a
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
1.1MB
MD54c8af8a30813e9380f5f54309325d6b8
SHA1169a80d8923fb28f89bc26ebf89ffe37f8545c88
SHA2564b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05
SHA512ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a
-
Filesize
512KB
MD54652c4087b148d08adefedf55719308b
SHA130e06026fea94e5777c529b479470809025ffbe2
SHA256003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795
SHA512d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d
-
Filesize
10.2MB
MD5fc821be26f0751f448288ac3d4eb2a48
SHA1e08c86cf040ddce41f70a705d4b0434de3884c98
SHA256bd8f33bff48ea9bee08c0aafe1e09b2a97a45e98be418201ad799a435f2be482
SHA5124f1032798347af2701d3f89ecee27192ff72d46360d9f82720b7da249a6f2e182b209e189fd94ee5bef022f6377e67411c1223783744a5c37c8ea6e6553bafce
-
Filesize
10.5MB
MD5e655959b26f0aebb48ce59a8c4b2e1d9
SHA1f1bfe9e045ab21d27c798b0b3beb46eb7889c0a8
SHA2562a651bb8c2d72c159599f3702e38df67d535f740bee734d8afbe7fffc8a877e5
SHA5121b44178b82f3400862a18d17a3fd39de29ab3c385b020db6752532940f73a5f55220dfef1eac4bc994cc2def396d2f6597f788dc5afb1fdf6189f09742c0749c
-
Filesize
22B
MD5fa0a6866f06ecc5db780b047802e9ecd
SHA16846053deec25b04028a67ca88173e908f3bffcb
SHA2560d74840faf4775a49e88102f0715f5338d8fac71c65c4bae628dc00060954e4f
SHA5120fa7fe7fcc1e0a778cab67b1d4e8b562fb5ef874fa4e59c351a8af28bdd9d0b4a3c74b864656400a98549ca0f05bc75c0147b42e76b1ce4573d0c3e5b9555d41