b370ad084c003a0fac7bc5e3f32fb083a5e32764d9080b6aaaca082a6a248373

General

Target

333/Star.exe
Size

481KB
MD5

2b7d003b0782e1b2818cc7717e0c2c53
SHA1

3f742c457300b379dc2d2324a0a0d870bc78f6ba
SHA256

1e61804993ddb8b890c1ada44898a7953273ce8eef7ae60505083037db43902d
SHA512

916c16e4f47bee06b4dc464f74e09ffa748c87e7e152eb958e29cf659ff31ec0967ed1d705cc5f64b6025e4730c86687e7dd0f767b235b635312d19f14668db8
SSDEEP

12288:loSWNTrO+uNxYlv4fc/N6Kz/oMfH8FUgC:loS2TrbOovQc/NjooHcUgC

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
232	PING.EXE
3180	PING.EXE
2424	PING.EXE
4524	PING.EXE
1384	PING.EXE
3864	PING.EXE
2592	PING.EXE
3476	PING.EXE
4532	PING.EXE
1376	PING.EXE
828	PING.EXE
1120	PING.EXE
628	PING.EXE
4044	PING.EXE
4220	PING.EXE
3236	PING.EXE
3048	PING.EXE
1708	PING.EXE
1420	PING.EXE
2932	PING.EXE
2996	PING.EXE
3896	PING.EXE
5048	PING.EXE
1740	PING.EXE
4232	PING.EXE
4968	PING.EXE
2456	PING.EXE
2400	PING.EXE
1756	PING.EXE
2348	PING.EXE
1644	PING.EXE
1492	PING.EXE
1248	PING.EXE
1988	PING.EXE
1900	PING.EXE
2760	PING.EXE
3140	PING.EXE
2016	PING.EXE
4392	PING.EXE
3440	PING.EXE
3612	PING.EXE
948	PING.EXE
3388	PING.EXE
1136	PING.EXE
1984	PING.EXE
4112	PING.EXE
3804	PING.EXE
2948	PING.EXE
2124	PING.EXE
336	PING.EXE
3420	PING.EXE
2604	PING.EXE
1808	PING.EXE
4088	PING.EXE
4308	PING.EXE
4024	PING.EXE
4800	PING.EXE
4164	PING.EXE
2380	PING.EXE
4888	PING.EXE
4924	PING.EXE
4280	PING.EXE
4356	PING.EXE
4852	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

msedge.exemsedge.exe

pid process

4476 msedge.exe
4476 msedge.exe
3048 msedge.exe
3048 msedge.exe
3048 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3048 msedge.exe
3048 msedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe
3048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Star.execmd.exe

description	pid	process	target process
PID 4180 wrote to memory of 3232	4180	Star.exe	cmd.exe
PID 4180 wrote to memory of 3232	4180	Star.exe	cmd.exe
PID 3232 wrote to memory of 3416	3232	cmd.exe	mode.com
PID 3232 wrote to memory of 3416	3232	cmd.exe	mode.com
PID 3232 wrote to memory of 2016	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 2016	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 3148	3232	cmd.exe	mode.com
PID 3232 wrote to memory of 3148	3232	cmd.exe	mode.com
PID 3232 wrote to memory of 1640	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1640	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4232	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4232	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3804	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3804	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2204	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2204	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1756	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1756	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 232	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 232	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2604	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2604	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1572	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1572	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 532	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 532	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4732	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4732	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1948	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1948	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4312	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4312	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4888	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4888	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4924	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4924	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2960	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2960	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2692	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2692	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1808	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1808	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4044	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4044	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4088	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4088	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2348	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2348	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3756	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3756	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2696	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2696	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1212	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1212	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3864	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3864	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4220	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 4220	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1644	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 1644	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3868	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3868	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3896	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3896	3232	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\333\Star.exe
"C:\Users\Admin\AppData\Local\Temp\333\Star.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\52B4.tmp\52B5.tmp\52B6.bat C:\Users\Admin\AppData\Local\Temp\333\Star.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\mode.com
mode con lines=25 cols=80
3⤵
PID:3416

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2016

C:\Windows\system32\mode.com
mode 99, 35
3⤵
PID:3148

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1640

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4232

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3804

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2204

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1756

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:232

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2604

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1572

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:532

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4732

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1948

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4312

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4888

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4924

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2960

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2692

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1808

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4044

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4088

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2348

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3756

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2696

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1212

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3864

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4220

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1644

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3868

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3896

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1964

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1628

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1420

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4308

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4280

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4800

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2016

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3612

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4160

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1492

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3168

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4816

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4356

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2948

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3236

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4940

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1220

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2932

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:5048

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1248

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1508

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2720

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2368

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:412

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2124

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:976

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2984

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4748

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:948

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1988

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4392

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2592

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3420

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1232

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3440

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3684

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3056

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2732

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3180

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:336

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4352

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3244

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1984

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2456

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2424

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4332

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4988

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4472

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3048

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4948

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4524

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4968

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:624

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1740

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4528

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2924

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2400

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:828

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1120

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4852

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4496

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1900

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2268

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:224

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3476

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1392

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4300

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2020

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2760

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4864

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:544

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4164

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4532

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:2112

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1384

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:1096

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4112

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1708

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2380

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:4348

C:\Windows\system32\mode.com
mode con lines=25 cols=80
3⤵
PID:2932

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:668

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4024

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
3⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=".[;m[33m╚══[93m> "
3⤵
PID:540

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:348

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
3⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=".[;m[33m╚══[93m> "
3⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\333\gen.exe
gen.exe
3⤵
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\139E.tmp\139F.tmp\13A0.bat C:\Users\Admin\AppData\Local\Temp\333\gen.exe"
4⤵
PID:2592

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:996

C:\Windows\system32\mode.com
mode 80, 28
5⤵
PID:1640

C:\Windows\system32\PING.EXE
ping localhost -n 1
5⤵
- Runs ping.exe
PID:1136

C:\Windows\system32\PING.EXE
ping localhost -n 1
5⤵
PID:1092

C:\Windows\system32\PING.EXE
ping localhost -n 1
5⤵
- Runs ping.exe
PID:1376

C:\Windows\system32\PING.EXE
ping localhost -n 1
5⤵
PID:3204

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:3140

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
3⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=".[;m[33m╚══[93m> "
3⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://6starlight.weebly.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9903a46f8,0x7ff9903a4708,0x7ff9903a4718
4⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7594877054749820193,15494519560843235816,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
4⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7594877054749820193,15494519560843235816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7594877054749820193,15494519560843235816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
4⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7594877054749820193,15494519560843235816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
4⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7594877054749820193,15494519560843235816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
4⤵
PID:1892

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
PID:3944

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
3⤵
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p=".[;m[33m╚══[93m> "
3⤵
PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
eaeef43da8b2db63480e57aa9987a933

SHA1
1bfddcd5f41a144608b3bbe1651194bd8c300445

SHA256
e88cc676b66f79c59b8e1b52096cd2b0dd89e1a7055ac9f07da01bd519877cf3

SHA512
89a1598fdd9fa8cc3feaa294c19c9aa8cbf03b394b2e4803048035cde04bc37a29c2937cc523ab327088b554beac0c73d5542b97b263fa7750367b5391cd64f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.tmp\139F.tmp\13A0.bat
Filesize
1KB

MD5
89f8e06fba293fbf97a36e00061827e0

SHA1
b46a76aa56495526235f5d0c5188e4733d46c353

SHA256
d06eda94b218a1eadff481b54023879380aa48e3c1abef816669618688582454

SHA512
c369fe01b0a7eff454bb61ccaa90d4dd7149bf049f804464e7a60b3e6d563cc505912aaad298abe0f4922acf2604b863ef318f4ac2bbf2e993aa02e2d0aab5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\52B4.tmp\52B5.tmp\52B6.bat
Filesize
375KB

MD5
7b5496f185f7e4734846b00233159d43

SHA1
82385f3d27fc1005210c763b08e65795c6c14579

SHA256
dac3dffe8823d8954fb52c8be52dcc24723761f9ca6545e8a4a5511309342ac9

SHA512
4b02aafa55159094d82e5e9e8c04a53a1c52939c828305f64ca506b4bdc919e8aa70a6a6675d6e1e85d446149c1c58de726428c42b8cedb81836238198b50ff9

Download Submit
\??\pipe\LOCAL\crashpad_3048_ITWDKGQSSJGMACWP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads