Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-06-2024 20:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/FqIa2I
Resource
win11-20240611-en
General
-
Target
https://gofile.io/d/FqIa2I
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1888-128-0x00000000064E0000-0x00000000066F6000-memory.dmp family_agenttesla -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3472 1888 WerFault.exe Unknown.exe 2524 1412 WerFault.exe Unknown.exe 388 3716 WerFault.exe Unknown.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
Unknown.exeUnknown.exeUnknown.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Unknown.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Unknown.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Unknown.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Unknown.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
Unknown.exeUnknown.exeUnknown.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main Unknown.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Unknown.exe Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Unknown.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Unknown.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main Unknown.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Unknown.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Unknown.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Unknown.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main Unknown.exe Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Unknown.exe Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Unknown.exe Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Unknown.exe = "11001" Unknown.exe Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Unknown.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Debug.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 652 msedge.exe 652 msedge.exe 1072 msedge.exe 1072 msedge.exe 3792 identity_helper.exe 3792 identity_helper.exe 4572 msedge.exe 4572 msedge.exe 2344 msedge.exe 2344 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exepid process 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe 1072 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Unknown.exeUnknown.exeUnknown.exepid process 1888 Unknown.exe 1888 Unknown.exe 1412 Unknown.exe 1412 Unknown.exe 3716 Unknown.exe 3716 Unknown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1072 wrote to memory of 1192 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 1192 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2360 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 652 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 652 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe PID 1072 wrote to memory of 2992 1072 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/FqIa2I1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda2193cb8,0x7ffda2193cc8,0x7ffda2193cd82⤵PID:1192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:22⤵PID:2360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵PID:2992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:1432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:12⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:2684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:4652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:2900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:1188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,14430351684042194155,12856992245888588697,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5188 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2496
-
C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 17802⤵
- Program crash
PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1888 -ip 18881⤵PID:2608
-
C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 21002⤵
- Program crash
PID:2524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1412 -ip 14121⤵PID:4292
-
C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"C:\Users\Admin\Downloads\Debug\Debug\Unknown.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 20882⤵
- Program crash
PID:388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3716 -ip 37161⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
Filesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD57329a1e770a235f4574920ea5e771b31
SHA13737a7698e2a47c64e4e5b88eea79a607d46caa6
SHA2565bb5200c5d3256f6fb018cddf7616ec49860b2fd51fddd3477e0be0e2c2f406f
SHA512ebb70007825b9f1c1145358b5c1a8bb6e3a0ad733f7615711befac5d5a3f9c22d27f2bfa175e0a42798aad572dbe78c9103f395c8e4213607bed6d7d9c9ea076
-
Filesize
782B
MD5e7285e904757e1769b2e5cc0d3561b16
SHA190892f1be930573a2ea02b08362d3ad0aeee6858
SHA2566a04bc326d4c91dafce23b772531daec4b7654aa685a9f098404640600badf5c
SHA5124b7dde40c3ce645ebd7206d9c7eaba851a19815ce27d518661256aa923e9447103707ee9df3f6ac17080d587f8d617d3f7e84542b17d2ac633e40f42c62c1d8a
-
Filesize
6KB
MD5c947496fd43b70a602e1110b3509666c
SHA15a1f42df2ceea38e8d6dd28912273fbf972c711c
SHA25603bf909b68391b6f25af43d3c085f5152b7fc0af09ac632c242efd1a621e499b
SHA51244095cb7d75efb4f649e0e8e93a36ea484b324fa272f750efdff69c45bd8f54100caf553d325e511c2a045f47ad55d04b5d5c425f5199cde82c4d6028a49ecba
-
Filesize
6KB
MD5656a6d994e22abecf7b6e0d0486cbe2a
SHA100d1d38c5dc9603334cdcbd84bd68ec58d076b93
SHA2565b74cc864ccf1570a57222248fa7c5cc5d52a02ed99752f0c90365b5375cf137
SHA5125997a7fd2b966fc4aa76c8cd3142a7c39debef45f7c7a79183b975bbde2bedf7f1efafb5cd007d6d016ff46b93d25001401bae3f631a4d7b0b3da2cf8822c1f9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD535811200b7b4da710614466035771536
SHA165d3870a98ba3a459b3bd182715eccf199524b73
SHA256a1445796b032ad44faa3d8b8be2c5790a98e7bdfd4e94bceebb8c6c8d3a75e0f
SHA51284b6221da8f549c3a2c90fb27fa319354defc4c0a8608952c9ea5e862b69cac7df644f9886c7115d11d97abfc3ae844396d2b836614e5daa726ffbf8845952e7
-
Filesize
11KB
MD5537f58b93699b4d1c66a0da4e768c0c6
SHA16bce73e0712c61faf9c70eac8d28b8ed340224b9
SHA25658d131af1cb4e64c1f934a25516a086cba34e61c75fab7f1438a2765f2725926
SHA5121549a904f4f6802501eb36f1dd2e602c9a1a894441165dd5bd294a8b9efeb89e2a8dc82af158c28120fd324ff7705767ff77ac268d26aa031b1025f3c5c0c919
-
C:\Users\Admin\AppData\Local\Unknown\Unknown.exe_Url_q1yr4kdzssc4z1ioqenkit0di2go5r5l\1.0.0.0\user.config
Filesize314B
MD540f1d03376d1fba4d2c01dc865705910
SHA1085c02fa6f5cf9976e49ff387ae4729de883e39b
SHA25610bfc55bf2598b749d968e14055e8271f08136fe813bcf09e6c4e4ec886a4ed3
SHA5122831107cd353cb4f0ad85fee4b01c4ca9742f87a8ca9e419f1f1bd252614c8116764b9616cc2d47660fd7124d42528afadb45021e8bb71a118b2e515b8bf2b5f
-
Filesize
3.4MB
MD5f9b9132e580ba02d257b16ff1b5d51ab
SHA1d3d234d4ca2d07122802d52748957f9e5d882a6e
SHA25640058264c50c118eae3308775868c6f0b075091a6105fb322076856f77a6780f
SHA51280721d6cd26c842fc1c9f8fae09f892a19820429e7759002a27ac502cfd93900e46e0669c9207276bf7787802522a7edfc7d29e72da0601b2baace3cdc435442
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e