Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 19:06
Behavioral task
behavioral1
Sample
Z-Launcher-GPS5.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Z-Launcher-GPS5.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
Z-Launcher-GPS5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Z-Launcher-GPS5.exe
Resource
win11-20240802-en
General
-
Target
Z-Launcher-GPS5.exe
-
Size
1.6MB
-
MD5
e6db71cc80920480219f16c0c54013c7
-
SHA1
4c7370868e5187d5d017c69df552dd809b76c1a2
-
SHA256
5b9a78809c6718019832322023e94982761032adb51e1a44ba139d4f63369542
-
SHA512
0b229b4b3e2cac3cd25748af0cbcc37840825b2d4f9d098e97e183f2f763fe240d0df89ef98a8c19c32e4cee61145d9e6f478598b6598384b6035ab714ebce55
-
SSDEEP
49152:TkTq24GjdGSiqkqXfd+/9AqYanieKdsfM:T1EjdGSiqkqXf0FLYWC
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1279142597218013264/8mlljrcp8pu-na1Kxr-pwaQv-IeIN4qXz3iwqKTXrY-DPCA89wjqOAQeRKn7qMqu3BR6
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Z-Launcher-GPS5.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Z-Launcher-GPS5.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Z-Launcher-GPS5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 discord.com 20 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 icanhazip.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1016 3760 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Z-Launcher-GPS5.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3748 cmd.exe 3792 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Z-Launcher-GPS5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Z-Launcher-GPS5.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3760 Z-Launcher-GPS5.exe 3484 msedge.exe 3484 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 5044 identity_helper.exe 5044 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3760 Z-Launcher-GPS5.exe Token: SeSecurityPrivilege 2084 msiexec.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3760 wrote to memory of 3748 3760 Z-Launcher-GPS5.exe 86 PID 3760 wrote to memory of 3748 3760 Z-Launcher-GPS5.exe 86 PID 3760 wrote to memory of 3748 3760 Z-Launcher-GPS5.exe 86 PID 3748 wrote to memory of 3668 3748 cmd.exe 89 PID 3748 wrote to memory of 3668 3748 cmd.exe 89 PID 3748 wrote to memory of 3668 3748 cmd.exe 89 PID 3748 wrote to memory of 3792 3748 cmd.exe 90 PID 3748 wrote to memory of 3792 3748 cmd.exe 90 PID 3748 wrote to memory of 3792 3748 cmd.exe 90 PID 3748 wrote to memory of 3544 3748 cmd.exe 91 PID 3748 wrote to memory of 3544 3748 cmd.exe 91 PID 3748 wrote to memory of 3544 3748 cmd.exe 91 PID 3760 wrote to memory of 5100 3760 Z-Launcher-GPS5.exe 94 PID 3760 wrote to memory of 5100 3760 Z-Launcher-GPS5.exe 94 PID 3760 wrote to memory of 5100 3760 Z-Launcher-GPS5.exe 94 PID 5100 wrote to memory of 3172 5100 cmd.exe 96 PID 5100 wrote to memory of 3172 5100 cmd.exe 96 PID 5100 wrote to memory of 3172 5100 cmd.exe 96 PID 5100 wrote to memory of 960 5100 cmd.exe 97 PID 5100 wrote to memory of 960 5100 cmd.exe 97 PID 5100 wrote to memory of 960 5100 cmd.exe 97 PID 3248 wrote to memory of 656 3248 msedge.exe 107 PID 3248 wrote to memory of 656 3248 msedge.exe 107 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 4064 3248 msedge.exe 108 PID 3248 wrote to memory of 3484 3248 msedge.exe 109 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Z-Launcher-GPS5.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Z-Launcher-GPS5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5.exe"C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5.exe"1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3760 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3668
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3792
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3172
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 29362⤵
- Program crash
PID:1016
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3760 -ip 37601⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe795f46f8,0x7ffe795f4708,0x7ffe795f47182⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:12⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,6201474639601012424,8367272950595418718,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4748 /prefetch:82⤵PID:4684
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3168
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3872
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
5KB
MD5c8f91937279be988f14f435c6a692c14
SHA122a1590bc94f4adea48c2adcfd2f79415cf2d3aa
SHA2562dc4bda50bae2740d4f19449dba91aa7078a12dc15e35fa55695699acfc7b333
SHA5127d7cb41705920b69517cace7feb287faf7d01d36a6bfb4bff4961eee106c676017c82f99638f145d940f4b9f18074f4ae8cf04a02836cbf8b82e433b07bc9659
-
Filesize
6KB
MD585547378b9e0c8dc304ac7d40ce58eaf
SHA147d083c0e2ef5b526a34538ce64c5db3aa18f806
SHA256c14dfb565c1198bf3cdfdf52d9485bffcce731b661eac7eaa30cec362bcc7669
SHA512df21fd4ae0fef0161812fbaf9f9ac6dc9d376099952a971f1ba99626bba58498ed3acf9598698bd76802446aa7415fc07c8b521ee49d59146a8f46eefd11a870
-
Filesize
6KB
MD518575785d41e4c1c46c024c50ce2bcc0
SHA1aed05ca6a0840de056990b1aaa184d495c6a47a8
SHA256f48c9af63769d8dbd4d27102d82ca79f56eb84ea721134452b44ec98ff1051aa
SHA51245ae6273449f183993c32b9d7c6753cec55e80509b49f2ff6923931e8b86299e59e3a48c3a821cfcf992201fbbcd3d4930202226259bc9cd5eb6b79efdabbafb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD504dadc2b9e16dd62aea87a490ca58fcb
SHA1cf5d6a608863de463db8b7ba651b90dbb88a2be5
SHA2563da641645ad5be4d319b6d73406ce437f9f0a58af15f9c0d8e384632325c2c4b
SHA512e052494db9a71a2eeb4b85aeab90e8db5d83d751c8b43541a77f73ac673df3de97e3b6e0ffd5b19ad452b8598411c75ea12297c9ebc7feed104ff1d8bf1aba53
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD54633fa8465cc921b18e6e4b0c5ed0317
SHA11f05c2f2245efff0204a52f2dc588d9909efc019
SHA256b1bc5cac961eb905dff3e591998dbf8b0e39098229a7289d2270195a167b4ecc
SHA5123b3f1235151966fa9bbcdc36152afc4808126839414dd5132f075fb94201fbc68670d15a00e27dd7be9651628e0f5ca7cb448d67cf3aff23bb98e03abba57ce5
-
Filesize
1KB
MD532c4f21ad188bd7a465ca68927c9d583
SHA1c5febaaf8778a76790cbcd2156bca961672d0667
SHA2565f9f73ffdcacd685965ec474f9148bf690c67853d123dbd39cd7c71e9623e206
SHA512b0994c68a9e74c3a7dfd656c836e4d914ec5206d3e50a00d7971932d387be946cf88bea168f032a35cca428b2cab260573c664a86b6261989b0ec8576b03ec03
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\System\Process.txt
Filesize4KB
MD5e2b7534bf4c5c6aa864614e9b4bd847e
SHA11d01033d0616fad949c9fe49a9b4eeda6101d3a9
SHA25661b2a632f71cc6e92a9cc748e0e6661aac44ba00f20a43b571397a88f477045d
SHA51279e0047bfde086a668003ed9ebdcea4827a278060bdb0de07f053c290427098f60d5dd54e6cb1210632e91240fce1007a68b82277ac62fb6180a9abf66fe7164
-
C:\Users\Admin\AppData\Local\da40a2b876f63cd5f41fc7256ac870aa\Admin@MKDTRXIT_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd