Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
527s -
max time network
528s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 15:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing
Resource
win10v2004-20240802-en
General
-
Target
https://drive.google.com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
resource yara_rule behavioral1/files/0x000c000000023502-136.dat dcrat behavioral1/files/0x0007000000023507-157.dat dcrat behavioral1/memory/3212-159-0x0000000000F20000-0x0000000001052000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation cheat cs2 dada.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation bridgeMssvc.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 cheat cs2 dada.exe 3212 bridgeMssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cheat cs2 dada.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings cheat cs2 dada.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1020 msedge.exe 1020 msedge.exe 4768 msedge.exe 4768 msedge.exe 5100 identity_helper.exe 5100 identity_helper.exe 5468 msedge.exe 5468 msedge.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 3212 bridgeMssvc.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5904 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 5904 7zFM.exe Token: 35 5904 7zFM.exe Token: SeSecurityPrivilege 5904 7zFM.exe Token: SeDebugPrivilege 3212 bridgeMssvc.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 5904 7zFM.exe 5904 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2624 cheat cs2 dada.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2284 4768 msedge.exe 84 PID 4768 wrote to memory of 2284 4768 msedge.exe 84 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 4620 4768 msedge.exe 87 PID 4768 wrote to memory of 1020 4768 msedge.exe 88 PID 4768 wrote to memory of 1020 4768 msedge.exe 88 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89 PID 4768 wrote to memory of 2260 4768 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8f2946f8,0x7ffd8f294708,0x7ffd8f2947182⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5332 /prefetch:82⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4068
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5756
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\cheat cs2 dada.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5904
-
C:\Users\Admin\Desktop\cheat cs2 dada.exe"C:\Users\Admin\Desktop\cheat cs2 dada.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Driversvc\tCotpHghVcuBa64RG5zII0GzSadK.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Driversvc\ZjkXiln9O7FJXNp1In5kIyxeOSm.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Driversvc\bridgeMssvc.exe"C:\Driversvc\bridgeMssvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2rMIhTWdha.bat" "5⤵PID:5916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4708
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30B
MD58bf8592d3c1fb245ef64ea325816cdf5
SHA17c59b7cbec284498edbfd610f2039e89c0c893cf
SHA256b79db39d74abea986c1ff94736e73b876608fa745857f84cf7db690ed5cb1b7c
SHA512f7013c59fe0701014d797cbf76fa36713ae8d6932e8e6b7092b72cbecd40a4a499c801252a6668a4610b92b50fabc05146e5e363d072fb3f923e5c16f5a52da6
-
Filesize
1.2MB
MD5d783bb038e0182a84fcccda666cb8ffd
SHA1b09cea4d1330054f1470f6e4a27f527e26517cb9
SHA2563c372ae2d251c40056241acdbd77e98550475fcfc7ea1bc491b1288ac141ce9c
SHA51292e90b0847e1f5d3ca917b1bef5000fecf180d424ed9dbfccc3e02d28acd6b5d2651c35bd3d78a4019d85c6f39041536209c00877733c6cb645c9faba9ed817c
-
Filesize
214B
MD51906bda2a1c548ebf87e233817862dd5
SHA1bd64a6e60e632c5d0c8b912c540af6fbf5c5e12e
SHA256d373dedfedd2093f4cfe7866abf59196edc6295f245a1d490eed8570de0a15f8
SHA51278a4fd0ccc1f37626cb451a541f2f2d21571749375b398694425675bb30e3e5780516878b0200429b784fbf9ec4fafa9152bdeac8070f11a06b14da87e7c399f
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5551f5abcb8256ba8319dbf2eefd90733
SHA171ff9529d9dffe26dda149e2d2eb50d6e424277b
SHA256bb006e1751f5ff9d7eaff5ffa50cad8c1130431ed3429be7d2da1050a279f662
SHA512faca979ad922089f33ca0f43445a7776eeae26e1f1bb2dfd41d7fa9565a708e9b1b881c966d9e09f65fd178c4240bd9f230f7dd3d008734ccca1248fd4925ea6
-
Filesize
20KB
MD5215e731fc55635393fbf36b5098750c7
SHA100e7ffc2496ccaf2eef2595ee6af0a49a7d6ef5a
SHA2565f9c732d33009161cded5e42cc35091eff29be91a96c854be0f3f532d50ed81f
SHA512bfd0ddda779fe2c963fa0f7b669caaec1cab1b54b5815624b1e905d0dd158f002af09b0db9cf9e9e07094ca21097bee0fa2523ee562cb28cd40e068105a385b3
-
Filesize
3KB
MD5ebc9c7efbe0c0933af8de2f85e23a445
SHA1a2149f5a3fde729000f67133dfbab674fa8a76a3
SHA2563e76f4acfd72ee81a299f7dd2e71155b6e557629d6f65d917770c9f47303bf34
SHA51216b865ffcd4936a0a4053dbb44b68b56f745a96b87ff093bbd0f6e756f4c3f7f0f7ca0632a222d9da422a4479822c8dac8d0c56cf9260a5d7f46f509c3960032
-
Filesize
3KB
MD5a4467b24310b7f9bfebb79b0bdd31223
SHA19cce5fc70b34ae23c97d151f710021f6f9598f34
SHA2564e9111c8e47b292d4b1a35e41e8a4264338802d41da2c1d22d77bb07ae7a3ae5
SHA5123cd8c8afe10f87b93ef3d8386136c5bdc41a9eb740ae02cace4455831a53f9e09a9dec18e6cb007783812a32e2e6e6a9e73d78bc9298045f41d6b02cfecaa81b
-
Filesize
3KB
MD5d99e761883e24a57ba24076e595c516c
SHA1c1d16225c4914be8664b945675b6a433a867a0d3
SHA25607f2328ba969bdd0e2f9e30537a13d43693d4dba83fb33648da5286be274c47c
SHA5127d7916afb6fbcf4f6746535b89abe7cb84e29d4f0a9f6e72fed2880432665e9c0fef1a8b28ee026d895e3663319297827b9d0832f53e7c4ff0bb4e5de07c1964
-
Filesize
3KB
MD5431dd3c9c4763743615b513cfeb55311
SHA12d748412061527c8af247e984318e7e6b58e6b5f
SHA256fb752e9d0cd1c635028041dc4d4ff3783fc0d3b3e01555efcb4fb1f19c5d5fda
SHA5121ffcaa144ec15d4abaa6dc0450621ca3c3fba78de163bf301186be31fe61c60bff9cc9f60cd4fd3b48710243780a9a956d247565bf0ec89febf594cb1dc24264
-
Filesize
3KB
MD596f03bcb0264758de2d5a20d4c89fb19
SHA104c33615e869eb16044890c209484f20f8b38a31
SHA256f9da2342f3d06abadd2b2d800b799e17455177ca0617681b2f64a020fbfd9529
SHA5123bfaef80c93ccb9afef333f0daa622b4c74f8e88211f35a6adcd634143518b00a268157daf03fc160719a00a6caf9196160164964fe1c98469122ced49f9284c
-
Filesize
3KB
MD545d23c62e1140f0fa229cd45b751c7ea
SHA1441aff83ecec3626c15f48a05165748a7334e25e
SHA256b786642787deda2e32198d88b770d70910e135879007e71cae70454db285da9d
SHA512d586791d4f4ce83ce54cb6bfa88d206e43c2569c0955df11be4bd858d11ae50483d2d769eef8c900b653eeef1e4d9b599f4b5c1a8f5c6cbf7921cd171270e495
-
Filesize
3KB
MD569f695f0a757e628ddf6d9d03c6b1337
SHA1dc90466efe8548d911bb9ba4c14eca1e7313faff
SHA256569bf783661c1a18b6db5296b06eceffd9ba2002757f6d5dd46b7d23cc564681
SHA5121ff5f945de56f1845d36d2a9b0e360e87bc4f214e503d00fee5b2390b74b1dcf8bae9a6c020f00efc7842729167ddf5c1f14e2f93aee2641e4ffb23dd0002287
-
Filesize
5KB
MD531495791ec12b6f60ae9f5373e0da9cb
SHA13e3c39b281ba78e99a2a90a137b93d1fbaa91b09
SHA256789f443d05715f0c3864751be09f1e8e540b09638e2086cea21586c7dd59da3f
SHA512e24e12080e2e64a0fe8694576e9f9c964927875b229161a6d75cbec2c17c060988834e8b508337482a37b2f75dc3ffed5cc3280cba885da6136f31f8a3901feb
-
Filesize
6KB
MD5811fa6eb06aaf61564b3bcb9e8b11c86
SHA10a4fdde668489d1e2c8ad35e114856e434048670
SHA256eacb4d111f8f71796ae1bac02d24569d2c2da041bee7be713eb50cf7a95aa52c
SHA5126b3511018e4a842b56ba17e864c91ae89327303fbe1807acedb8f2be3aba67f0f27aba3b1cc17923cca1fd336376275dccf413e856ddcb88fbda94c65812f690
-
Filesize
6KB
MD516d0e3ff5770b75dcfe3856db476785a
SHA1f7b85cf067d10f773f829fb7b172308afe62c156
SHA256f10cac0a3da25fcf8140443dc69fd7c5fe727bc1c1d03068348948e0f9a710f0
SHA5120cf456c60b228f610f65d7aa04801f108907d6bf88d022a92c07f2aa32b426242f1fddb81d9c7eec66e8bf034fe790c77c10462b2bbc44a17069f72b6ae4a15f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD546ff4becd22cf23668b4f68c0369e25b
SHA15d7d22f2c1f0d44e37ddb6154e8cbd9da92c9506
SHA256a54c40d1719a44abbe6885335265299c2b6b48a21b99436e183c657b7f24f90e
SHA51208c47c5c0e6193db41b9c4d72d9dc065dcdeff06470fad699644e91753980cac282205ed3890c53a75af615d1ee6e4af7e7ea095fe2518de00b43721c8238849
-
Filesize
11KB
MD577bc94452fd3a6b096e20162f30aa81d
SHA1dbcaf7559d29ae76836449662e57aa4427589274
SHA25609e756e1e8e9d6c0de155fff45637704844e1891112f7b1bddeca566aa84c731
SHA5122a0bc8285c801b6eb0ff6aea97ad8a4747f47e433502a592c3da9d5bf5fe3c647b639f885f87137afdd86ab25aaf57149314c1c7da6d562e9bbc02f1549a25f6
-
Filesize
12KB
MD50eea426fd56b00f289f15fa7cdd5bc6a
SHA183cc44e3e19ee167aa2f3676cfe9f565113b5043
SHA256392aa39e65a76993fdeddc644970971d0acf3bb2fc540c0cd41651e89e1d7046
SHA512739c41edbc60b66348cd4476539aa377d6030c1c172339a0c88c320ee8347d6206a729f3133a8e24ac7b2ea7e268d3af8a2f10cc4d1b6e2474740edb481e1b70
-
Filesize
197B
MD5cc4cf9d5659f5f85cd5bb93ca7b77bef
SHA1c60abfd9cc66e1961eb644c733cfa63cf9350588
SHA2564ea35e1853b0ed2328798630c154124c95da4681429be4d094be43fee2ade61d
SHA512b1ee8bcbac0597101c6d485108b600babee5686795c6c2fed96b004892618536f09092a7fb39708403f8f1b9b50478022ba93f66b6db88d4cb7e15c0602084b2
-
Filesize
1.5MB
MD56d17743cb2865a46175af86f9ce1790d
SHA16a77ee0a902a8fae8e33b897a4b1a0f87311e5e1
SHA256b0e362d326edb35cc56956d1ae89d1955d42f5636a6a986800453091457ed829
SHA5124dd16baa63c185b16b5bbb4a6c750d8f132308bc3bb290afb188c417d45a3858cbe4301574a6e0141eb0010f30a704594e546b76d2b0fc5e899bcdeb4b3036c1
-
Filesize
961KB
MD5d58c25f2179ab20b7cb0052e06c7e5a5
SHA1f70256a0069da80a00848a1399e2f4e9488901aa
SHA25683c1a663de4f7afc55c330e093bf6e0387ecd85d1d1c3c55b40eaac5db9bf519
SHA51248b676e7eb60eca336dcb0229e285f1cd1713ada8112b7e5a12ada95af0bdcc1c1edd62de14bec1af45a28f2263cba692030131883b3a82ad0c06748a349c4ba