Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 01:56
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
3.1.5
SeroXen
chinese-golden.gl.at.ply.gg:44086
$Sxr-8pC7X2mG070btopC86
-
encryption_key
X7DsXqksH10Qr4Gz4fsk
-
install_name
HAHAHAHAHA LMAOO.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Svhost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 936870.crdownload family_quasar behavioral1/memory/5648-208-0x00000000000B0000-0x000000000011C000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
Sxr_Installer.batHAHAHAHAHA LMAOO.exeSxr_Installer.batSxr_Installer.batpid process 5648 Sxr_Installer.bat 5884 HAHAHAHAHA LMAOO.exe 4928 Sxr_Installer.bat 932 Sxr_Installer.bat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 75 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
HAHAHAHAHA LMAOO.exeSxr_Installer.batdescription ioc process File opened for modification C:\Windows\SysWOW64\SubDir HAHAHAHAHA LMAOO.exe File created C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe Sxr_Installer.bat File opened for modification C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe Sxr_Installer.bat File created C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe:SmartScreen:$DATA Sxr_Installer.bat File opened for modification C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe HAHAHAHAHA LMAOO.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exeSCHTASKS.exepid process 5832 schtasks.exe 5928 SCHTASKS.exe 6012 schtasks.exe 5496 SCHTASKS.exe 3964 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 936870.crdownload:SmartScreen msedge.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 5948 regedit.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1560 msedge.exe 1560 msedge.exe 4856 msedge.exe 4856 msedge.exe 664 identity_helper.exe 664 identity_helper.exe 5560 msedge.exe 5560 msedge.exe 5512 msedge.exe 5512 msedge.exe 5512 msedge.exe 5512 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regedit.exepid process 5948 regedit.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Sxr_Installer.batHAHAHAHAHA LMAOO.exe7zG.exeSxr_Installer.batSxr_Installer.batdescription pid process Token: SeDebugPrivilege 5648 Sxr_Installer.bat Token: SeDebugPrivilege 5884 HAHAHAHAHA LMAOO.exe Token: SeRestorePrivilege 5572 7zG.exe Token: 35 5572 7zG.exe Token: SeSecurityPrivilege 5572 7zG.exe Token: SeSecurityPrivilege 5572 7zG.exe Token: SeDebugPrivilege 4928 Sxr_Installer.bat Token: SeDebugPrivilege 932 Sxr_Installer.bat -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exe7zG.exepid process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 5572 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HAHAHAHAHA LMAOO.exepid process 5884 HAHAHAHAHA LMAOO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4856 wrote to memory of 4112 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4112 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1896 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1560 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 1560 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe PID 4856 wrote to memory of 4432 4856 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/R4t-Cra4ck3r/SeroXen_Cr4ck1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafda846f8,0x7ffafda84708,0x7ffafda847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4048 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Sxr_Installer.bat"C:\Users\Admin\Downloads\Sxr_Installer.bat"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Sxr_Installer.bat" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe"C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sxr_Installer.bat" /tr "'C:\Users\Admin\Downloads\Sxr_Installer.bat'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:12⤵
-
C:\Users\Admin\Downloads\Sxr_Installer.bat"C:\Users\Admin\Downloads\Sxr_Installer.bat"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sxr_Installer.bat" /tr "'C:\Users\Admin\Downloads\Sxr_Installer.bat'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\Sxr_Installer.bat"C:\Users\Admin\Downloads\Sxr_Installer.bat"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sxr_Installer.bat" /tr "'C:\Users\Admin\Downloads\Sxr_Installer.bat'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11568983377738068256,10115785245223568396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Sxr_Installer.bat"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x454 0x49c1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap26756:88:7zEvent395 -tzip -sae -- "C:\Users\Admin\Downloads\Sxr_Installer.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sxr_Installer.bat.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD54b71f43742fdf1356a8a079bdd0aa9c2
SHA13878f3697a68434d54a288d550531f4b17da066e
SHA2564409b4b1d9d34419705fad24f33112a9ffcdc0d1d35e709c0da1ec3bdab0b4f9
SHA512b1497cdc4f3ea125c67d7f22bcdf1ea01a1773dff5bb5fcb40548c297cc7882bf29616dc3e8b02cb04101c193e71f2f1bf463a9562a27e42d25d68dfb3104c98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e5413927fb32c6bc0e188f76215e9be1
SHA1708ad75f1c1d68be564006ea060c08c073fd78e6
SHA2562cca940df8f0ddc06aad1a928193379c7cb6d3358c4cb55df264797ab484e97b
SHA512a054aa8d1cd46cae9dc05e60e61fe7f6800e273491e63c12224a5758ac217480958c7c8a2f34b8e756dd87cf3aa85611f63bbbb6e7804e971f984a99aa56878d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52b161bccfcf6db709a71ff656c866c8b
SHA105c596d8c64d407c3adae0317036c0eb93c4574f
SHA2562efbc36f4fe809393532a053fc0dc507573b116589ee28f691c7c56f6b046c9a
SHA512e79d688804390c58ba91ad4ca0cadef6d05724123bf3bfdfc9251f873c7042199ff1b36f4e8d0e8571fb1997f411e0e6ee379303b46a195ea3b07bd232eb6532
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5205df23827bd60955e3e509edb9a8896
SHA1b92c2f563798c20b4a03339e09a364621b5b3aa3
SHA256d49a5af230ac0f67e27eb4d5d3c2dfcfe497c3956bf40b3863bb39518aaa4534
SHA512068f9ffd2991dbb904e2be34594708ec51ad753eb275dec539ba19a9972680c79486a771a3893ceb96da877b92c5242a2e84c519a62a5a7ae0716e5fb80e2e23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d143ad1f781dd71f5845def10cf75059
SHA1b7be74060e891e318338fbfb679dab2b153bdabe
SHA25696572b308b84bfe3b1d62f80a66fed486069b89f0524571b8a323bc454a542b1
SHA5129208b612a14e8916cab99180782906669496c65a4eb374f8a0825416c4491f90e0676c6b81505bde9698c6b035b9fa2d01c2edeb84c4553cf722697c699e70ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59f565cd20becb2dbed5940b7db48e66d
SHA1c28816567a87cc8f4cea50c3876c4410cd677bb0
SHA256fad7784c1426b8632d78785c275369830508718ef1cda578502389fad2547530
SHA512a63b822819e96329d2a0309b49d579889aad814560bb5bcdbc32bcd7ddcbe8fdfd7764f03d49ecbd2ac1fa925bf6e8b6cb5724e73730196a5ef63ca06ebd369a
-
C:\Users\Admin\Downloads\Unconfirmed 936870.crdownloadFilesize
409KB
MD59eaba1c208b8e7a0c94c109e60c5b113
SHA1a602439a57a44287dff1d980d2c959c0d934a9e4
SHA256ab6f4a4fa9bbdf8d9461023a2819b76b07d93e7d31e9d97a490f8ed4c0c0dccc
SHA512625363f1203596200cd6fdc7c9f9ce8b6af0634299dc750f490305822385d8915981c8c7a162588959dbf000a7d8b4af8d61352fd84a176207c592ded2f87fa6
-
\??\pipe\LOCAL\crashpad_4856_DKBTAEMKFVYWJYSHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5648-211-0x0000000004AC0000-0x0000000004B26000-memory.dmpFilesize
408KB
-
memory/5648-212-0x0000000004F50000-0x0000000004F62000-memory.dmpFilesize
72KB
-
memory/5648-213-0x0000000005C40000-0x0000000005C7C000-memory.dmpFilesize
240KB
-
memory/5648-210-0x0000000004A20000-0x0000000004AB2000-memory.dmpFilesize
584KB
-
memory/5648-209-0x0000000004FD0000-0x0000000005574000-memory.dmpFilesize
5.6MB
-
memory/5648-208-0x00000000000B0000-0x000000000011C000-memory.dmpFilesize
432KB
-
memory/5884-240-0x0000000006530000-0x000000000653A000-memory.dmpFilesize
40KB