Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-05-2024 13:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hosting.tempauto.ru/Adobe.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
https://hosting.tempauto.ru/Adobe.rar
Resource
win11-20240426-en
General
-
Target
https://hosting.tempauto.ru/Adobe.rar
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral2/memory/920-169-0x0000000034530000-0x000000003458E000-memory.dmp family_zgrat_v1 behavioral2/memory/920-171-0x0000000034BA0000-0x0000000034BFE000-memory.dmp family_zgrat_v1 behavioral2/memory/920-175-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-179-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-231-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-230-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-227-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-225-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-221-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-219-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-218-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-213-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-209-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-207-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-205-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-203-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-201-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-199-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-197-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-195-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-193-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-191-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-189-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-187-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-185-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-183-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-181-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-177-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-223-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-215-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-211-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-173-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 behavioral2/memory/920-172-0x0000000034BA0000-0x0000000034BF7000-memory.dmp family_zgrat_v1 -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/920-164-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/920-167-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Executes dropped EXE 4 IoCs
pid Process 4400 Adobe.exe 4664 Adobe.exe 920 dwewgsuF.pif 1332 dwewgsuF.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fusgwewd = "C:\\Users\\Public\\Fusgwewd.url" Adobe.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com 12 api.ipify.org 22 api.ipify.org 26 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4400 set thread context of 920 4400 Adobe.exe 107 PID 4664 set thread context of 1332 4664 Adobe.exe 108 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3880 msedge.exe 3880 msedge.exe 1220 msedge.exe 1220 msedge.exe 4408 msedge.exe 4408 msedge.exe 920 dwewgsuF.pif 920 dwewgsuF.pif 920 dwewgsuF.pif 1332 dwewgsuF.pif 1332 dwewgsuF.pif 1332 dwewgsuF.pif -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 5116 7zG.exe Token: 35 5116 7zG.exe Token: SeSecurityPrivilege 5116 7zG.exe Token: SeSecurityPrivilege 5116 7zG.exe Token: SeDebugPrivilege 920 dwewgsuF.pif Token: SeDebugPrivilege 1332 dwewgsuF.pif -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 5116 7zG.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 920 dwewgsuF.pif 1332 dwewgsuF.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2848 1220 msedge.exe 78 PID 1220 wrote to memory of 2848 1220 msedge.exe 78 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3788 1220 msedge.exe 79 PID 1220 wrote to memory of 3880 1220 msedge.exe 80 PID 1220 wrote to memory of 3880 1220 msedge.exe 80 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81 PID 1220 wrote to memory of 3952 1220 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hosting.tempauto.ru/Adobe.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0b5d3cb8,0x7ffc0b5d3cc8,0x7ffc0b5d3cd82⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:82⤵PID:944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:12⤵PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:82⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:12⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,17316112294145938399,9469816793364341170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4936 /prefetch:22⤵PID:4720
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:792
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1116
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20409:72:7zEvent95001⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5116
-
C:\Users\Admin\Downloads\Adobe.exe"C:\Users\Admin\Downloads\Adobe.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4400 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\Downloads\Adobe.exe C:\\Users\\Public\\Libraries\\Fusgwewd.PIF2⤵PID:3604
-
-
C:\Users\Public\Libraries\dwewgsuF.pifC:\Users\Public\Libraries\dwewgsuF.pif2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\Users\Admin\Downloads\Adobe.exe"C:\Users\Admin\Downloads\Adobe.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4664 -
C:\Users\Public\Libraries\dwewgsuF.pifC:\Users\Public\Libraries\dwewgsuF.pif2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a2b27f9944b7a8fc82c0caf50fe54528
SHA1de187242e28c9e7f739b43a8344e365d41927cb5
SHA2560d2419c80f9893066855b83fa64adc6cd6353b5e02788656fd94fe1168c9d856
SHA512fa79bb14ee1e13e48eb87cac2a51e89657c30a994cde937d47350acd3384ba4b7f60fefa0f7d8053ef702d53e1dd7ffa2aea165b870d1167c4df87e5fea4aed0
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
187B
MD513782a4f38ec953f8680ded952447946
SHA11b2bf0ab8616dfd4b36655abefeecd114647d9c5
SHA256900d5ad4a4b754b605d1d0e7bd621875d15898c774fd8037e78006fa01703a97
SHA5127a1258750c91263586fd3a8717a32c04be4e18594390179cc32b7426fe7f8c3d09721ba4aebf0fa9a360710541ad32a7d9b5ce12a13501b54a327b4d6380b081
-
Filesize
5KB
MD50c3f603318699aeb430fd658e0e51194
SHA1bfe89dbd9b26aadf41369d257e2736a321907e28
SHA256ae6363e22fe72625b173b09e3f99e69b7299113647df093d14f3ef4d6f3dafbe
SHA51246f1a9666cd57557ca5cb40adafc87c3ac4ed8016baf61857f1c82fc82f9aa33f04d9f2f8490d3ebdd0ffbb05ae37cd80a33f762c9e2d658951a3bc2224d3266
-
Filesize
5KB
MD5456c6034908efac6c5bfe8903c07e5f7
SHA127df3b1673e77ca7a19bbbb53d86ac82fe9a1862
SHA256d90601d32251ed626279065fc94a40d75d796a3a39eb959cd4a4ebf50f0ae8af
SHA512d91ef0993ada08249a31657159b27f07f577e1b814de4f7266a2d4861727902d296aa363c7d48538def751a95e6066c8dbd7d09925dacec9e9dde1eb46dcaca4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5efcdbec1aa055cd75121c2cf0a7c4642
SHA1e5a15fb972c15a4cb7cd3b2c89542f1e63d7f698
SHA256c973606e270866dced15821c3ded6ca068f85ec979050180fd62c709963d4b63
SHA512326f1383e087e8eafb6afb2a2af75f5d9d7ebf2c9e949c58b4ec5874f9eb3518539d3c6487902a4333a0d434ef26a5da22dac2496e595908d443c168e222291c
-
Filesize
12KB
MD5e00a6b74a5fde0cef84a333308c41087
SHA16f7820a0873b594fea34ae2291a217914ba9ec02
SHA256019d0aebfe069d2e2aa170965e5ded734e2474f6d93566321b80c72e35acfb3e
SHA512259e4aaaae458f7c7c69d14f3e853fb99f08ad8abafa52ea2a76d845c7c8144aa5421a43eda15cec0ecb99021e002bcbf33bc7f4166a8946ddda63554d33086e
-
Filesize
11KB
MD5a2fca0fb9eebc5bda6c2a08b88a1df33
SHA14aeff69d9efe3d406d399e3623a05edb96d4a8f1
SHA25648cba12767fd794216758dd9d81749a020776fed6160ff733a82629a1d2ce5d7
SHA512db29e20a4f393e73f1a4cd3a35d7cc0f51f75bf8a3c2389de53760dac6a170f0909e5d1a1819d90dec0f33108e1f9a26b2de23a61e97fc025b9ce6ac2478a3bd
-
Filesize
11KB
MD5d2f1f4114d58698c762caa67feed180b
SHA133cb04475d06624f264393ffe87dbbc45659b86e
SHA2560e347fc96b35d4d7c76f6f1adc322d2c422109bb4e881ee996434c848e1f98aa
SHA51216791b0aa2c513439ced1026871a9db385170b3fed3a7c1521e57b7e31b88405d9596db5318744d796e0e2d252aa2fc48ce22ef2b182b553f3190086bb63e026
-
Filesize
1.4MB
MD532769244b3c9180aaeda9bdbc94e3c28
SHA1a76ee5e814514bcdce374b2a12adb69f216be63c
SHA256fe396a1237d49be994cea981a0634f8535736c67942d050b43dca2c38038de52
SHA5126cf72600a174d64eb1f3513dbeeb4c445c619a2352836705796e7f636082b9178d99d08e7c7e6ff8162617b41e9ffc0f609a00916f0fb2a7d91ab499d3717f43
-
Filesize
412KB
MD588592b17526e132988cee3ad37f0d852
SHA1c49c43010c7e9d812437eed3cb8a1ac21812d81c
SHA256cd5999b7894bd16871b5f43adf2d2dd9c12e67977e01566ac39f09abb0d04835
SHA5121fc43dfdc57dfc52926c7d02ee3c9efde294e72bd015a8fb343bacce8e94004823ac0f9e630c45a2ae58dec36a18e30ba69ccb6e68dc58490f2e7ca201d2cd26
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6