Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 03:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH60
Resource
win10v2004-20240802-en
General
-
Target
https://mega.nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH60
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1179477783735451778/91E5ZMjbQLRcKdVETaUeu6gs8rqwbndcwnn3va8Xyp0YomGet52KGjiXRZzapBves0nl
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 3 IoCs
pid Process 1140 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 6092 Nursultan_Crack.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 freegeoip.app 47 freegeoip.app 52 freegeoip.app 66 freegeoip.app -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Nursultan_Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Nursultan_Crack.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Nursultan_Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Nursultan_Crack.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Nursultan_Crack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Nursultan_Crack.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 142627.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4784 msedge.exe 4784 msedge.exe 812 msedge.exe 812 msedge.exe 640 identity_helper.exe 640 identity_helper.exe 1456 msedge.exe 1456 msedge.exe 1140 Nursultan_Crack.exe 1140 Nursultan_Crack.exe 1140 Nursultan_Crack.exe 1140 Nursultan_Crack.exe 1140 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 3528 Nursultan_Crack.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 6092 Nursultan_Crack.exe 6092 Nursultan_Crack.exe 6092 Nursultan_Crack.exe 6092 Nursultan_Crack.exe 6092 Nursultan_Crack.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5772 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 4376 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4376 AUDIODG.EXE Token: SeDebugPrivilege 1140 Nursultan_Crack.exe Token: SeDebugPrivilege 3528 Nursultan_Crack.exe Token: SeDebugPrivilege 5772 taskmgr.exe Token: SeSystemProfilePrivilege 5772 taskmgr.exe Token: SeCreateGlobalPrivilege 5772 taskmgr.exe Token: SeDebugPrivilege 6092 Nursultan_Crack.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 812 msedge.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe 5772 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5316 SystemSettingsAdminFlows.exe 5420 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 4932 812 msedge.exe 83 PID 812 wrote to memory of 4932 812 msedge.exe 83 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4672 812 msedge.exe 84 PID 812 wrote to memory of 4784 812 msedge.exe 85 PID 812 wrote to memory of 4784 812 msedge.exe 85 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86 PID 812 wrote to memory of 2464 812 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH601⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93cf746f8,0x7ff93cf74708,0x7ff93cf747182⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:1440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3472 /prefetch:82⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:82⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:12⤵PID:440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
-
C:\Users\Admin\Downloads\Nursultan_Crack.exe"C:\Users\Admin\Downloads\Nursultan_Crack.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Users\Admin\Downloads\Nursultan_Crack.exe"C:\Users\Admin\Downloads\Nursultan_Crack.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:6124
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3824
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3876
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4cc 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5656
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5772
-
C:\Users\Admin\Downloads\Nursultan_Crack.exe"C:\Users\Admin\Downloads\Nursultan_Crack.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp1⤵
- Suspicious use of SetWindowsHookEx
PID:5316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5200
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1KB
MD57f91c01d639b407f5fc2aa34edef255c
SHA1e7773cf304c50e00e2db509c776ffa5be87a2d58
SHA25683c0dc8fefa90b446093f48c736d87c3e752982b4a50b3e32ac06a55c435a3ad
SHA5128d6c2ed763fcaa7182249d9a375590085e73ded39ff8554c801a2a0a7e84ae7e0758369c8e691d70a1bbd16129757dc9182a91e81820d80f6c377002e11949f0
-
Filesize
1KB
MD563bbc8cfc48981d3ca3381102d773cee
SHA153c379b22f7b5d9944089449922b7a88f44a78da
SHA256b98340718a57678851ee2c958b06b70070c363d18b8b55efe75db53c6ba1a439
SHA51281f7d38b3be149fea4cfcadfd3dbc50a233d14be450f0e393886884da6cd59f5e5a5961b8560c60323572f63592221f3855779842f2567ae45e4b25191265eb7
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5b83c06ef018f8abc3204139e102cb7e6
SHA1c35aa209588b75b4cbb0268d197f103471db4a12
SHA2569c3db990c28432d94fef6d3eef38358027e399d725befbb234f43a60d7f89d27
SHA512f26495a1f2d02a81cc7b2debd33f9f082cd78479dcb2c0da0943e9159493c96d23285550416ea50b4dacf046940b61fa11bff5f9a5ac8b4f4603ed2b8d6e546d
-
Filesize
20KB
MD55b12458e80ad52966eaf8f82723b2193
SHA12161281eb1c5c50c9a76546ae7bc11df9cc5b94a
SHA256261e465b74b6d7acfeeb48ecb94cb4555c9d4de42b4adfe571b2cc1ecd6ae060
SHA512974ab67ccb7c5527e3682b92350f7d947ca7ae0cd334450f39edf4022526d0712d8e82b3e45f9793f95763f8d070309e3f2bb9abcb46d0974f45e08337b70b9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD580036dc1bfd69fc7387fa33c7806724a
SHA10e20ca80a6f5c0d0161a6a8b144581c021949b55
SHA2565ca6eb3a27f3cdbc881f3ed2da8dfe1a9fcaafc108b49f657b75e279c92f8841
SHA512c7be05119be69d4dd5d6e19858c2363edcf092a546fb33c4833ec40db6cdcf0a66c3b2f2b6a05d0bb83da0a918e88bb6fe300a6ab05957e724f89ffdbf48867a
-
Filesize
6KB
MD5c5f038007e6f1634437455d3f697c5ee
SHA18fdbdf03108651b57017e103b3d5957343a9659d
SHA256a085d79d4f321d621028a20cff4a8828aecc2f36c3b5ce4ae605d0f02eb0513b
SHA51287aa6293bb8983620791ced9526a3d855fc92e2c246153c0e42094b8bd5200b4207c08f2808155cf7e72784d605258da4b0087c7c58cf004249b177e2c3e6822
-
Filesize
6KB
MD58c3d63dffebcf335dbde9f9877fd544f
SHA137eb98ba096192f3e2ebe479106955df3f3451d9
SHA25696425deab6b52b0e3e7222cd7730f061f8f6a91955f63106d8cad24d45f9a7e7
SHA51235935326680bea503e23e78310fe64e59619fd17de8014c9039afe9c233ae6e9745f80aa02f4edc986afd08b9dd221d675b2d20675f310753ef20fe4356ec796
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5a4a4ebc4d5045119938d37882680dd9c
SHA1320f6fba2094347ff1576d8ef5538af8c43354b0
SHA2567ceac4ca21e997dadff93afbc1cba55692c89769852555dfeea35788572e213a
SHA512806523b9e5648c98f650f4428e6c69ff41df672ff42febd446dac9e1ee163aa2b37f6a95ffdcc16538bd030fd59951898589fc268cbc2695458b0725e73b3f89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f6e3.TMP
Filesize48B
MD508f8d8bf125c13c011b3b3d87068596b
SHA18759a6660cc528c92a053074f9afb60501258898
SHA256f2bbc46b9a8aabcc499099cdf2e6c839e69d22d5a6130e4866311bf4ef66ffbf
SHA51250d833d56755f1c5d6152a1cc3989076440ef5bd1e00f56ecfcf57ccbbb508a193b9072312de770e1b60452ce19d882f234aedc29a176f27b3f373cc7ef7a540
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD519db490975d87b11e75615e7d7957985
SHA11a47809d5820405ffb2ce6c47e80a1b4faa71d41
SHA256c43c5ec0762812bc3d4fd0a00a6e553974821fdcb973adc8a1047bb3df011e46
SHA512040a66624792628eff9bb260568baedcbde1cd1f5bc61d632e7ccbd55721a03fa95815cdb63790b8410f2e11b2e5c7b5b2721ae1691671e9e4875334fc7345ae
-
Filesize
11KB
MD5b2d4dbf1c67f4d908911e4c3853e085f
SHA149e4de4634ca79b3735370800df2d25eadb6645e
SHA256d857aa015f0623d7c2f31c2be16145ded1d3a671798a16331d5660b4734da6ea
SHA5121ac03c0674d2238ce7884193443465bb6b5c87f0269d5fe141ba3851431e8b942793d5b699ea05dbbba16f36c97e6492fd1506a71da2e1dd68639412ce3dc9e3
-
Filesize
5.0MB
MD5ae71e46d9a9c60a6fb840b70cad13b91
SHA12a213ae784f5242cc21d9b934706be25ce760f62
SHA256357e7a24b49900c79fc7cb36548dd6f0607a80dd7e852bf28ebd9a9e46335906
SHA512625dca8ad62b6cc1572d3be14df6926d18129b66198be13e215dac77f2250ca5f0400cb74961cfd45a68ddda8766364ce7454d74b8315298d6f69ef0bf83bde5
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
114KB
MD5c3311360e96fcf6ea559c40a78ede854
SHA1562ada1868020814b25b5dbbdbcb5a9feb9eb6ba
SHA2569372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b
SHA512fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
640B
MD51072db403eb9f195a0e96be9cfc4f182
SHA13db11a9adff0075631b4cb2be88287afeedcf9cc
SHA25609d07d94681d6077f58a9f3253fada11df5edd883f53cbdf64d72cb6c94a6ea5
SHA51223cfaa9981888fc7dc2a3480e35537da05c175faddd1529492dafa19f65eca033e43cee77250116b0bd35d62c27ec2305b968a78c7c65ba737fa5d32f2da1900
-
Filesize
1KB
MD5fbc7e67e346a43c10b92b0664788aaae
SHA1b30479213cad1d1a37dae72bc698cb573ad0bb9e
SHA256ec9757741010848d6fd359892683b295ba92bb3823fdcc280c7a540697e0de31
SHA51286f38850958378ec322725fe35185bf00cdbcf2bf8e9770e8b7d7d67a4990ea57a9523ba58131cb0a2ef1c48b549432f110e1b72867844a37f2e5a9f88cf3b43
-
Filesize
1KB
MD53b23175a52e85aa852e0e26bcdb603c3
SHA10b824866b8c2ca24a45cc2fae01f069b7267bf4b
SHA256638babf208b2ca2fe543a35af212ee7a6f64acfdc7e19ea783914008594b5212
SHA512b9b2fbd76d23f64d5dcdf16935933431546b847a3d275e7587e093d574d18f03262fc0e52a8053c0d3ef61fddfaa7c0c2aba5a5176b18ba51e9e570d669f520b
-
Filesize
1KB
MD5374e516cb7c66c8859bae3ff08789b40
SHA12fa19fff5f2b8090964e65205ea9e786fc4f49dd
SHA256bccc7539b2920e4c89b0f16ba9b07f13cd904298f88fa5704101c361a6076b5b
SHA5121f10e5a451ab5f27a1a6fd2e1eed02b383e85235f5172b5f1a6fc1d61624fac7f2bb9b422aaea0639db764f21f94f30b29fd9ac10ef5620f38c0f024f207bd57
-
Filesize
2KB
MD516f96b60fbb8dc95cb4b91157fa3d131
SHA17f310b864c0369535076e32d7d24c71c86ef4a8e
SHA2563fe55593a8b31f2304ee929f4eb66de1907653a8e66dce5383c5c565df787c08
SHA5125fdacf035640c4e3f9e020088a8054a3b2410a06b239e2ed378fc5812c9e63cce4ec09276c2e176a566e052d7a3580fbf200ff491ad544592ba2e836eaa685f3
-
Filesize
3KB
MD59b933c3a6393c90e1453abb43562aa3b
SHA10323f7340f462847f4c6f9904767c9ca6b2feb05
SHA256c7b462655f2330c66202a0e20e14d32dc4daf330a3027b77c1419d49bd5ade98
SHA51280e3e3c8e070c50aa775f05dadb1c1eec576c062675688c11bf897d91ef2988b03f1b403cc5466942dea582f3492cac715d68f7dc965077782de7eeae8d04d30
-
Filesize
274KB
MD533481e6d4eb51e5d4c62b39be8c80224
SHA1efaf525dbec5f739c9d5dda9730b99390db503d6
SHA256f02057e3988a5f57d96b4c34211835c34aaf5381c08e1b9ffca715669329708b
SHA5120e36bd94dadf4b677ea8b025f76ab229630de1b533d513a55679ec2b84f9ce6c7f4da542858d033f4941782a3a8ae48b8e32847c7e8ec972f5d7c0c000839ea6