Analysis
-
max time kernel
528s -
max time network
525s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
08-08-2024 10:16
General
-
Target
https://drive.google.com/file/d/1DLWNBTyEUzBI7XFrywLmQA9zmkmLbB2p/view
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1DLWNBTyEUzBI7XFrywLmQA9zmkmLbB2p/view1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff997143cb8,0x7ff997143cc8,0x7ff997143cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4664 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5952 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7032 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7768 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1428,5218536603424205184,18175727284653381431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7z2407.exe"C:\Users\Admin\Downloads\7z2407.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c0b3c3d0594441199eacb4bef6092e7f /t 4168 /p 24161⤵
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\ac48cce8a1df44a1be9cc9a8636cdf18 /t 4496 /p 24641⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\FL STUD10 (2024) v21.1 FULL.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
41KB
MD500d4cc262b70dd3d386111ff78fb0812
SHA1628d4dcee1e82d04ab3969c29e256cef10101407
SHA256956916ddd6bb5ebde0f5df3605a524d1624ea335cdc6bd5bf26681d3a5ac5239
SHA51212f3cf77c4ee58eb00b08ced394d35e35237da4bc9ca62b1408c6dca4350068aa94d3a0e98132aa0e6cbcbdb7dee9c2b9c5399ba7c4780442200ad37a4c2b1a6
-
Filesize
67KB
MD51d9097f6fd8365c7ed19f621246587eb
SHA1937676f80fd908adc63adb3deb7d0bf4b64ad30e
SHA256a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf
SHA512251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5027a77a637cb439865b2008d68867e99
SHA1ba448ff5be0d69dbe0889237693371f4f0a2425e
SHA2566f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd
SHA51266f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4
-
Filesize
408B
MD5fe6f63f6b3ea05dcd5119e8efeb39b3b
SHA1d03c4c4a76627a5cb0782110271dc564708bfbf1
SHA25628c9ec5e257ea6d12c3b295f22788ef78bb40cdc612bea419d7d39c052f81921
SHA512bcdaf6e5d5fe9182e939d64e7da1fc2b1d2f54fc1bf422d2885518898bc9b2fe137a75319755f885f3ac123da9e58f8bc8a1eca6705b1c5e9c9c4c6d340805a7
-
Filesize
2KB
MD5fe5f77baa9a3c37e2aaf3b4ee324a049
SHA1a5c5da0d404ec05bda786f4bdcfb18bb4eb0b93c
SHA2567b5a2855455d23fc9e83783502d498a62e978c75d8be481f0be422c3babc6347
SHA5124e642c6c764f72e6c30a02e85b08e8ef3d9fe53050028ef7fbd33790b6635a5bf53364b32ea7a665f49fc96d7f604da7f343d6f7bfffa9e02b514661042fc655
-
Filesize
2KB
MD5ee0a4268675011957f5e7b6e1b6c4350
SHA15133688c9ff5b4d830a4025ecb59c2ace9769ef3
SHA256f2bdeb2ccc36062c6440915b377f8d0df3958562b7893f2d7b13ae5a989b5d2e
SHA5124a452c36b86b7e7c0190939cb591b4779daa38a568c7bc95c92e039fe130d7ae6cc6b2dd5acdc74b4db09669d02bfa1f3a3f108c9765e7def634956d44d4797f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD522eb300d5f5a339e10e192482dc5a221
SHA16b62a4e27f5b8abe13f606f59b361c5e6f28ac90
SHA25668a7b721b7a602fe68f652f68f122efe3ca200a33cce21498edf7c666cee70aa
SHA5121db0da286996a7ca5ed6d1acd1e084c91fb99cccf7976fac74644c6c54139f94a3f2c8048b6700cf94e35fa7ffd5f64f460cfd5429972d675e584d2465f4fba4
-
Filesize
3KB
MD53d0849016038763a279ee11767088bfb
SHA19646b7130ae2b3e0378fe9b3f48ece01d2d9d611
SHA256860295fcf259b5cb2af17c5278bc402850043fc958cfc0c82918a484f7896c9f
SHA5126f5c1bde37cd70df469dbe95894c87256934401f852b8655983d11af73e2cadbb19e619b1e6588834f02c165d6bea031e73c7ec76d121028f508d919ffae6966
-
Filesize
4KB
MD5fce3550dd09182880cc16988c4647dff
SHA1587d9388a9bc6a3851b0e46690b8a15e77e945e6
SHA256c7801c870bde0335852cc352091865a7465aaab9a14394e7751a0ca3b0c76a89
SHA5125d1f3c2baef2869cfbe488f0bcdeb0badab23f5d42446bdab688ed4274aa75315ac98f3525977a6c01ce375d924b37a91416ed9d78e06988818dfa12e5f65060
-
Filesize
3KB
MD5e8e2981f66991ebe34fa642d25e2e896
SHA1050d7caec70290e21b8444e0d10737687eb3a532
SHA25699b24f21e8b52ca42f5eb3ef822d23287d26af0dcc15f0c59c7bc74c9ac5c7ba
SHA51285fe10363fbc565e0e8ebf6f6a1f38dd60f02a33ae847ccd72d92fd816d2f10913d9969cb2d8a0750aaa281192601076490e1a06f14010a284ea769efe853906
-
Filesize
4KB
MD5c5c44aea1a8d9db61dd26a06b6338f44
SHA1a39d2c0143ce3ff245777a94eab9aaab71ae7a21
SHA256598b855aae239b274b2ae16cfe4e5012996b396068f11cdc6fbf22c4f77b1286
SHA5120e2814117454945c5804cf38b01a27d479d2d3994504b03ffd957394d674da1f6ba002be0cf8c5e61bc4f85f2ebaa38321023af4847124729d5766dea48ea220
-
Filesize
3KB
MD5dd56e6e2b3132fb7179c4941401890a5
SHA113327d277dce00f87c782c74d948f524801a5ca2
SHA256d8176958d35c5c4968a1fccc2bdcdb66a7c502a5863976624cdb6a4406cd1dd3
SHA512104fafb47b58f162097f4124622e60227f12bf4580fd4bd5c374b31fb81172073eebda45c978d77040def75117fcdeba183a1263b0d53f1341def68584e82239
-
Filesize
6KB
MD5678960ac36ad64acdd6481aae1250019
SHA1e01d40e63a8512b87a53f3bb99a606b209171e42
SHA256342a389e26c9cac1f6b7d52d233badec329947808fb2dd04d527ed336f50248f
SHA512cb44c1eb87eb8cd9a62e9f451edbb63c3f64e250b68b7d5a286c18dcdfed9096e587a95bdc22de474d53c9339ed6e6d9d35f12220d2571521fef5edb0d6c4201
-
Filesize
6KB
MD5ffed2f9223103198ec290c880e1405cc
SHA158dec93ef74da75a73446ffaa05298ca47b884af
SHA256429e05cdda348e3220349e01020f377356f81ecf6b61f2b311337c19d53001f7
SHA512f8c7fc0cb7095285e4475df4f781e420aff3154da8b3053d567537e9bbced1b17a1165375b52c87225accb770dedd4de31e37ac861dc7f940c21ad6a02e4b530
-
Filesize
7KB
MD5a010f30e2ca54e88e37ce46ee7fee2aa
SHA1ab4494a4213b483e5c36828a7d5e8914bfd53ddb
SHA256e0d947d4d168542ace7461dcbcf5f3cc77182245b971f2e664570fbdfcc9cf08
SHA512fc9746112d0ff5a202cba440b0391de22c8abb56759e071b895c3d7391bea2fa312d6e3b0babc76ad9354799fa588d70c9445ba4665a5b35f70fac5dde8317f4
-
Filesize
6KB
MD537d75fbc0dc9c3a0d676b4940c53163b
SHA1f0f60ce4463afdc3da0aeb7a47763af390ff7604
SHA2561d09a569f944e9e0e346869b18cd43f96a25601e7c9d70e59798be457f8ba1f7
SHA512122e40601dcb6b408ec82be23cba2906f9305bac75c382afd96eae69f37981be32700c7ae8f3974c60d680a51e95a1c7c571d4aac6268fbfbd5115f5fd33a577
-
Filesize
7KB
MD5e00214da451dfe30db10be6822df09ad
SHA10d1a83f5b00bfd26f3644bc1f7264fb5e7ebf26c
SHA2568e94e7e5ae359e3aadf3fb80d86ee16ec0de55c3699aedd8d689d7049d9b918f
SHA51274980b7f099aa946589820916ea2646db8c911215223b8669666db61ae31a0b41255ddb70ff9437e7e6ec3f572fbccc4d9ce6659f0bcc4c32804a4af99d398bc
-
Filesize
7KB
MD5afcfcc2b296ec380c5e73d4a77a57c76
SHA1f3066ca4708d05a875bd069021222e4e266572c7
SHA2563646fe3de6dd38b1d4148f9104aca788e76ec8df66f348ffe1cbe1a6437c396e
SHA512218b23a9226140477423a005f98a4e5e2979fc2c0863fc56401c1d678ca111a0395c30e086efa800eeeb7adde1da03607751eb56f0e0968419014a9fc6f9a648
-
Filesize
7KB
MD56035db6ff4555a07e91cbf37d4ff5f97
SHA1514051d331c6a72a4e40d52fb7e82f14fa145177
SHA25668447f7b66a1984999059379aff56b66167d2a079d0d1e7dfc310c1c6b76f504
SHA51204fbd098ec58387ed5e76808e40a8a92d5ad6046417ebf3a83e759484f624b73250c667a7a0150e6e69af92c0adb8062b4be18605b86829594df572a5f767f20
-
Filesize
1KB
MD57a260eb53c4073d4a6901fda12bcd3eb
SHA11bb01b2356c18e835742f0e32a54cefea7c94498
SHA25659c48c8914a8e9d2c44ef209fc8269f626e02f1bf5b42c8749ef0f5d6e8b0d0c
SHA512878ada98a0a06f8682448fdc3948bf1026a9bea882ad0aefe30f643f36bc53c6134d8d8fa3b6bb8ca1c1f9f917ea5559d9c3e31bdf701a593d58f69ecf92aa37
-
Filesize
1KB
MD535687c65d0cd9b18981895149f2939c5
SHA14fe40326b9264a661ae88b284210911255d566c3
SHA25609c08700062bd9583a08888f3f385421044ede58cd7c816603eafbf2f55fc1fc
SHA512e96545ef2a1fcd662c5ca63644527fa7a668afe03474a47e8d54b6058d1a2c6079e423a78454ab942aa7a9c960de05fed0d84ef03c72f00039ee39fa2503e438
-
Filesize
1KB
MD5ec42b0a585ba5c2cf0ee8a6c8604dd45
SHA127bae0c41437008b9359dc9e53d46407e94c797a
SHA2567615bfe217041c055dc4d393169bf11e4fc372403e0831969f43778ef8c7ae2a
SHA512d6c44fb0f19794eb5fffa7b777cb556f4306b4f27f763da1644891ca04728af42b714a956c4faf637981eb7ecbd3a1f3b53e26256002806598f91f84cc97fc00
-
Filesize
1KB
MD5c6d9828c01e04fc6cc2f9b88015b68c4
SHA14329382fece1f6de46b4b999a22fe3f56f0953a9
SHA2569f28166ee7f0638f63cb2e86de620a81d45bedd924e60ee09a892bd40051d339
SHA512693dd4ee6441595222b9b9280fa89ee0b731d97cbacf14a5bdd5e9a0311a080a636ca48e0a6febd54093cd5042b652082b2dac51851b7144e9a88fce08525a27
-
Filesize
1KB
MD51b49f76d81ea24e0db1f7405a03025ea
SHA1c29b8c00a5be013fa07538de712e26fdf72480f9
SHA2561dee9e02d88f972d23c2675fb0a8073642d47ab2c91a79b9c9ae71e84f80bde7
SHA512dfcbb9d28f75d235e700b8d6097df769493842dc4da491cfbe8b26c0937dfa8c68ab2dc4e06e9e5718ee3825ebfcff2b77e521a6c094f4b85e572b86e6389267
-
Filesize
1KB
MD5a11cccc375af45714038af2c6e6c6b72
SHA1cc6555261d4dcbb7fd30c297220f4ea25fe9dafe
SHA25698cea6dd1040f0df8856da69b7ced88354072b30ab614d9633af783964fcdf77
SHA51286da4585e9fcaf24e61275f43f971af83e9ce640d958f397cb6152120720e31c443c01745a4634ef5064db587ddaa0ca4eb87abe9867300ee5cbd2a1ec86bbb4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD542bba35ffbce2af50a5098df10e8ea0e
SHA10d36034d6ded146120a8e9e3ad79e9900472e639
SHA256b7243eb7f3631fcfc296e6d0eab924e4000bb6f1fd774d9a1944b188d2b72152
SHA512657651b9f1c94ebf939a30cad18437e951e5fdaefde41680000c37d4b6a386ac9f764814a553b4438581282f75a43d3319843c3ea5c65f15258b9dd6f49c18fb
-
Filesize
11KB
MD5cfff4fcb40e0ae3bb770a799de43861b
SHA10f206bb5ff22b391d9ac2fe0e4598747f449807e
SHA256187aee0a7ca6f8d6c8cb9a81593e223df920262bdf5abfa5a3e6fcbd21c16bc6
SHA512ab2d0b8ecf48782cd875148d6e5c2eda1fa545c82e7a5d68eba6652dd34d5d134773d793f375a0da95c7893f72640dab44ebf8459952f684732b0358112a0d8d
-
Filesize
11KB
MD51999230d75b2fa8e8d51bfa4a4c193cc
SHA1b34964cab50d8545aaab42b861c8095352d42f03
SHA256ea834ca3bc8bdacabac492585de5e8a89297263177185c6777a2aaaa780fdcf1
SHA512e60f552fd55756df94bc02cabdced4ea51e551cba906ee483bfd3d93766930200d2a2998949b4b566236bb498802562a256667e7f3106d3a31b757cb6699da41
-
Filesize
11KB
MD574c244f4b2ad7a1ff39cb476c33aeec8
SHA1e0c5e8c24e795729f692be11664f2fa5693ee129
SHA256b2a7187876ea3b988a793a7d71afd7b3f77c979ea499e22629c8be74fdd3ba31
SHA512df95951e2f81852518d96b3390790f0d2bed583dc6bb95e53bfee4dd8676319b05ca77f8fa9de2db59248426ce39d79a3d94b011567966dd9f2b61d16163115d
-
Filesize
11KB
MD5ba7fe211d85da12c181d908954fd4b1d
SHA1e647f9b5bf4ae0c5ea09076486874ba40ff7f600
SHA25696c4a0056877aba4692e6bd079c851e99ae1e6ea9209f5aad1cca23e8a34105b
SHA512dc1b1f4e37956865629034fffd77f95d93e0fb692ef022f3e90eeb06f51f88b2b28bc79e9a66abd2de57e237ee95fd925bd18330892a3096ab1109135b969265
-
Filesize
10KB
MD52bf8b49ae726b6251ed4b98c8bde132e
SHA15e5b4f295fec6133c97b3a2b9b313e1504177e6b
SHA25639e0a94897e8550f2f35ea74bf31a0c49173ce6586a1a89465e771302714e83b
SHA5120d1d7752934de65768c01269eee5b96cbb2aba4a56a750bf5df7da55f14784e0513d642aad8e01c2fc47cd7c106f86d6b277e8aee3744221e10468d38a9d8844
-
Filesize
10KB
MD5d12e797f18cb79137ad12b5e5139e1b8
SHA1f15fb437b1be86b714e278ce927b315fa0e16ea3
SHA256afb0f4a0229174f8118ab512b569fdb9eb3ebb0389cb11c9f4a0a2aa88ec258b
SHA512f6e8f99bcd0ecff7683c8e56fa2ffa3fdff16d6c17a2066b36bc3d78e2838130b5b23059a239b29a7ebdd0b5ca36b3f9cf388945bf1aad50a3f91cb8091223cd
-
Filesize
62B
MD5c890bea6e954f09438132954810d7427
SHA1f615d11deb02acb360649614730f82a909232618
SHA25644a8204cd11c7f1d91c8dda2fe2bbd935a55c8a62e073a220534ec8587f121d5
SHA5124b42cfbda92affdea4b3fb64efc28dedbe598800e6abe17733d0645a8c60d9586b8a28c8bd1ccae3cd6e305f6ff8050bd221d4bd40ba41b79d69609aeaf3a53c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.3MB
MD53f6d2cef65fe49a38190781a0cb46707
SHA16132b1cbb8b81a587d3eda3c9ac3a1c434fb13b0
SHA256151261d221ba0f6120c7f16700ab0724b92ff3230f05a89ef15dbcd8198678bb
SHA512731b8fe2c578444ce859bf2061c342b13716e49647d99517358b69740e2f6e49d751474c241f25381b0e194defc2af9fe0f434aedd3bd96aa39cbd19dd457a58
-
Filesize
3.7MB
MD53a2f16a044d8f6d2f9443dff6bd1c7d4
SHA148c6c0450af803b72a0caa7d5e3863c3f0240ef1
SHA25631f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6
SHA51261daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6