Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/09/2024, 13:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/jY1CkK
Resource
win11-20240802-en
General
-
Target
https://gofile.io/d/jY1CkK
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:1337
dIdD3t8xZS0Q
-
delay
3
-
install
true
-
install_file
plaguefix.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002aaa3-82.dat family_asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 5112 plaguefix.exe 572 plaguefix.exe 1936 plaguefix.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\plaguefix.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plaguefix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plaguefix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plaguefix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2680 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 514282.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\plaguefix.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3712 msedge.exe 3712 msedge.exe 4508 msedge.exe 4508 msedge.exe 5028 identity_helper.exe 5028 identity_helper.exe 1632 msedge.exe 1632 msedge.exe 3324 msedge.exe 3324 msedge.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 5112 plaguefix.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeBackupPrivilege 2448 svchost.exe Token: SeRestorePrivilege 2448 svchost.exe Token: SeSecurityPrivilege 2448 svchost.exe Token: SeTakeOwnershipPrivilege 2448 svchost.exe Token: 35 2448 svchost.exe Token: SeDebugPrivilege 5112 plaguefix.exe Token: SeDebugPrivilege 572 plaguefix.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 4548 4508 msedge.exe 78 PID 4508 wrote to memory of 4548 4508 msedge.exe 78 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 4364 4508 msedge.exe 79 PID 4508 wrote to memory of 3712 4508 msedge.exe 80 PID 4508 wrote to memory of 3712 4508 msedge.exe 80 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81 PID 4508 wrote to memory of 728 4508 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/jY1CkK1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab2203cb8,0x7ffab2203cc8,0x7ffab2203cd82⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:82⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:12⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 /prefetch:82⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:12⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:12⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17815450956153668089,6863148351237427222,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6056 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3328
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
C:\Users\Admin\Downloads\plaguefix.exe"C:\Users\Admin\Downloads\plaguefix.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "plaguefix" /tr '"C:\Users\Admin\AppData\Roaming\plaguefix.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "plaguefix" /tr '"C:\Users\Admin\AppData\Roaming\plaguefix.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp981.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\plaguefix.exe"C:\Users\Admin\AppData\Roaming\plaguefix.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
C:\Users\Admin\Downloads\plaguefix.exe"C:\Users\Admin\Downloads\plaguefix.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD5fece27917067365b631bc648c66fe066
SHA1f12c84b1c2b1296091ee06e8654c7065d22cbb44
SHA25693e03593374ce40bc5d4c57832ebe96d3a6a532766eb6385f568a0383b426d10
SHA5129b502a6d46b82ccc2c8aff650de664299f0131a82480eb9cec701546e9cd7f1647c0665014035c19da80a6cab267cf896645af827ecdd95287a70994c1ecb662
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD57b0a4944a0f479c703386b13b3df6e19
SHA1dffae3ac90a29182fe8e0f57a5c6455637f61ad8
SHA25630c6725b14cb84ff89bbb9c4d8b53ef3ab9d66b42a573c050550942b5df691f2
SHA512230f560f1518a58a1fa48b98696b316843e4d0f0d2baa1d29247e7164359091fa7b6745295a0a1f9be1defa939b504597c20be0f06001ca5c23600edcb7b6116
-
Filesize
391B
MD5d3dec18bb94719971f2fca51c7457284
SHA1fbe56fd514e178ecccb27b047e9c4a28f85969c4
SHA25649bf2e0fd563e5a70eef9e3826e4e676d36763b75a56a667b99d061d8e40c433
SHA512a5dbb443eb2e99435f0b302177eaee58b207806279d7c3e299371d401277bb0ae008902eb70075664976212571430c26febc7e47d71a47bd3a75829be5f9baa1
-
Filesize
5KB
MD57e8ad228739d476a7b89fc4bb61402e0
SHA178e080cc7162b5936b18d8bdbd2740cce2f353b0
SHA2569fe0f78192c2463b403bc2955079e5165986fbb076901145c8a245ba8ba9bb91
SHA512adf4c20c2c9608deaf179fee57dd8195451aef96056d081957f0ccb7d7e9b35745bcf219b5490c90b89b15979ac92f787d5e74bf87af3b2d0ed500a89e403e9a
-
Filesize
6KB
MD55d3b4b83e0a287938b227785c9e26bc4
SHA1e3454f64023ddea3a05aae5767f199cfb9d65c80
SHA256366c1995a763c8a756cfaa713ea59a9493df59222f145442027c53661aaf4719
SHA512623248d8b11ec48b3bc54ae6f21fe9185ff9b312158f39a9ec6de993b215e84db69420f8045a4e3e1541ad07477c006d152a9f77ed3ff213ac949d2bd14cf1a9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a575e15af229862a49e958ffe31307bb
SHA1a33c5fe469e2eb4f6a24c7b993b5593028afc361
SHA25665c6ba8fbde1e071c03e689e21b65ae9d355c0893f02e6f9dcdf891cf17e5357
SHA512311155d71a695c36b16b875db893aabfebcbc4082d27d299bc4e8d81dfedab6a0e1e3d65f5af3946209a0b2552bcba497dad297ce9f5165a07782de384eb7b26
-
Filesize
10KB
MD58bfbde99fed3ec4f2df7629efe9579d2
SHA120041bfb4ecf5c9b2cd671b5edb722aac9dd62f4
SHA2564f016b882a939333eea0a9b419eb3e938b3180e8e6cb45b6045be5e533449427
SHA5123132b670c4f3c9c1cec8ba7f355abd0e4d0587a8ea92a9bf39e25b9a373fabc1dc17f41c1892c96b829f914d6e0782500abf886ba82c82fc81be2fda2cff3c08
-
Filesize
152B
MD56790568ceabe6f652403960a1995fc58
SHA18979fb00a9cae4c3273100ae089e9ab3ebba2696
SHA2563f8c61666b35d432450bb09b9a221f9350fd4a851aea5797b4ff7646069989bc
SHA512fe3dcf658bdfcaef5785cc09de781fa0c587a40f6e67c9a1bb1b301736f158c67e0b69c7182e7d89baa5be556a055f180ebf9a934ca0c11df63c05098da9c3a2
-
Filesize
45KB
MD5f627fb8dbafdbf9ba100db0320b80ab7
SHA1fd83743498b101971e10aea5291592e29f85b7e3
SHA2561e05c9cc2df2649a64eab9718b729fc9d88e387369a5be97f862dce3f4c95f0f
SHA5127aafd02e72c3e5670b5da9ba39f2d72bf284804131644d2f5a3a02e11dae0164dd05edde74e49ccd29e4e046bb1a40bf7a20fb2fabd81fc8fdf068506e576ff4
-
Filesize
156B
MD5c11c706e04db08ab8acfd4982e3fb107
SHA113b00d71aae3e1b2923b37c58293e91c0041f79f
SHA2560ab854690df7ea96395627278ebf52523713928cdcd403240d29fef38e2c5a8b
SHA51271e24e3ad7a67aa0f9992ddb87a4f05dd6998b5a3678aea230a36cf6b36454b2a8f8f184c7171f878b7b0679be67ae9737a114cf5da00eb53975d4921286930c