Overview
overview
10Static
static
3panel.exe
windows10-2004-x64
10$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows10-2004-x64
1setup.exe
windows10-2004-x64
10swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
25s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-fr -
resource tags
arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
13-06-2024 00:56
Static task
static1
Behavioral task
behavioral1
Sample
panel.exe
Resource
win10v2004-20240611-fr
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-fr
Behavioral task
behavioral4
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-fr
Behavioral task
behavioral5
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral6
Sample
ffmpeg.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral7
Sample
libEGL.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral8
Sample
libGLESv2.dll
Resource
win10v2004-20240611-fr
Behavioral task
behavioral9
Sample
resources/elevate.exe
Resource
win10v2004-20240611-fr
Behavioral task
behavioral10
Sample
setup.exe
Resource
win10v2004-20240611-fr
Behavioral task
behavioral11
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral12
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240611-fr
Behavioral task
behavioral13
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-fr
Behavioral task
behavioral14
Sample
vulkan-1.dll
Resource
win10v2004-20240611-fr
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240611-fr
General
-
Target
setup.exe
-
Size
140.1MB
-
MD5
b1ccbfbedc38786e9a0e9605b876c38b
-
SHA1
6be127d660dc19d8abaaa0b7a1fc61e6c4c1cef8
-
SHA256
ce0fcb2457ffa323e7a9aa65fb7aa3e5cd62bb09faadad83dde9882db04b9f14
-
SHA512
eb3f5a4e4e801b2d22d1ea8a2d9445430cf49eca895b9583e4fb0f1add3354de9f032d4e50d00d47425e983fc589aa28c3dd1a263a68cb3b6979d8186667c624
-
SSDEEP
1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation setup.exe -
Loads dropped DLL 2 IoCs
pid Process 1256 setup.exe 1256 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ipinfo.io 20 ipinfo.io -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz setup.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1700 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 2056 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1256 setup.exe Token: SeCreatePagefilePrivilege 1256 setup.exe Token: SeIncreaseQuotaPrivilege 2120 WMIC.exe Token: SeSecurityPrivilege 2120 WMIC.exe Token: SeTakeOwnershipPrivilege 2120 WMIC.exe Token: SeLoadDriverPrivilege 2120 WMIC.exe Token: SeSystemProfilePrivilege 2120 WMIC.exe Token: SeSystemtimePrivilege 2120 WMIC.exe Token: SeProfSingleProcessPrivilege 2120 WMIC.exe Token: SeIncBasePriorityPrivilege 2120 WMIC.exe Token: SeCreatePagefilePrivilege 2120 WMIC.exe Token: SeBackupPrivilege 2120 WMIC.exe Token: SeRestorePrivilege 2120 WMIC.exe Token: SeShutdownPrivilege 2120 WMIC.exe Token: SeDebugPrivilege 2120 WMIC.exe Token: SeSystemEnvironmentPrivilege 2120 WMIC.exe Token: SeRemoteShutdownPrivilege 2120 WMIC.exe Token: SeUndockPrivilege 2120 WMIC.exe Token: SeManageVolumePrivilege 2120 WMIC.exe Token: 33 2120 WMIC.exe Token: 34 2120 WMIC.exe Token: 35 2120 WMIC.exe Token: 36 2120 WMIC.exe Token: SeIncreaseQuotaPrivilege 2120 WMIC.exe Token: SeSecurityPrivilege 2120 WMIC.exe Token: SeTakeOwnershipPrivilege 2120 WMIC.exe Token: SeLoadDriverPrivilege 2120 WMIC.exe Token: SeSystemProfilePrivilege 2120 WMIC.exe Token: SeSystemtimePrivilege 2120 WMIC.exe Token: SeProfSingleProcessPrivilege 2120 WMIC.exe Token: SeIncBasePriorityPrivilege 2120 WMIC.exe Token: SeCreatePagefilePrivilege 2120 WMIC.exe Token: SeBackupPrivilege 2120 WMIC.exe Token: SeRestorePrivilege 2120 WMIC.exe Token: SeShutdownPrivilege 2120 WMIC.exe Token: SeDebugPrivilege 2120 WMIC.exe Token: SeSystemEnvironmentPrivilege 2120 WMIC.exe Token: SeRemoteShutdownPrivilege 2120 WMIC.exe Token: SeUndockPrivilege 2120 WMIC.exe Token: SeManageVolumePrivilege 2120 WMIC.exe Token: 33 2120 WMIC.exe Token: 34 2120 WMIC.exe Token: 35 2120 WMIC.exe Token: 36 2120 WMIC.exe Token: SeIncreaseQuotaPrivilege 1700 WMIC.exe Token: SeSecurityPrivilege 1700 WMIC.exe Token: SeTakeOwnershipPrivilege 1700 WMIC.exe Token: SeLoadDriverPrivilege 1700 WMIC.exe Token: SeSystemProfilePrivilege 1700 WMIC.exe Token: SeSystemtimePrivilege 1700 WMIC.exe Token: SeProfSingleProcessPrivilege 1700 WMIC.exe Token: SeIncBasePriorityPrivilege 1700 WMIC.exe Token: SeCreatePagefilePrivilege 1700 WMIC.exe Token: SeBackupPrivilege 1700 WMIC.exe Token: SeRestorePrivilege 1700 WMIC.exe Token: SeShutdownPrivilege 1700 WMIC.exe Token: SeDebugPrivilege 1700 WMIC.exe Token: SeSystemEnvironmentPrivilege 1700 WMIC.exe Token: SeRemoteShutdownPrivilege 1700 WMIC.exe Token: SeUndockPrivilege 1700 WMIC.exe Token: SeManageVolumePrivilege 1700 WMIC.exe Token: 33 1700 WMIC.exe Token: 34 1700 WMIC.exe Token: 35 1700 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1256 setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 4924 1256 setup.exe 83 PID 1256 wrote to memory of 2564 1256 setup.exe 84 PID 1256 wrote to memory of 2564 1256 setup.exe 84 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85 PID 1256 wrote to memory of 1728 1256 setup.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2400 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:3888
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"2⤵PID:2628
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"2⤵PID:3228
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3904
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"2⤵PID:5076
-
C:\Windows\system32\cmd.execmd /c chcp 650013⤵PID:5080
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:4592
-
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵PID:3256
-
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5083fd9f2e3e93e1f2c599a2b609c9e5e
SHA16db2b6ce3e60d828ca32a6000c270c09224f3139
SHA2565800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA51208206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2
-
Filesize
642KB
MD54c8d6ba1b9e1141bfc8f700a9aa543c0
SHA166717fc5b64efb94b61f5476bb3d041c619580ea
SHA2560a1ce9b4eaf029f7b13e5b677bb8ad3192c0e3088d854a21bbe304e857f677b4
SHA512ee79d8435276650c87664b87b50ec06597630c2f996f68a95e62cec5188e787e5fe35181c4282dda9960039fe17cdb38b0e8a6a5abc39701abec9e2731fcda47
-
Filesize
249B
MD5cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA2561b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c
-
Filesize
216B
MD53850dcbdfccef2b2579651cbf2e766f7
SHA1dd26947e7dc339059d9de4a7aa4a2b09ed621f13
SHA256c57f2081f932cd5c03d755090fef4d3ac56494a90b425a4d546a0885a98b18e3
SHA51267fda6f0d08e466caaa7d18fb7b43da4ce5b575c584565718895048c1b4ccc1bf4559ff83b1f063030baa8970c8abbec1ab477fd1c0d46f391f10c21bcb2ce4e
-
Filesize
231B
MD5dec2be4f1ec3592cea668aa279e7cc9b
SHA1327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA51281728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66