Analysis
-
max time kernel
8s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 18:14
Errors
General
-
Target
6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2.exe
-
Size
1.6MB
-
MD5
438aa744ad50d178d14cff58650170d7
-
SHA1
c7b2bb880271ba1d802bf380096e9c21d906b104
-
SHA256
6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2
-
SHA512
4970d8bf30f68d93eaddbab400208e40cf5d7d8401d8e4787e61e0aee9feccb22616d73716ed49ae940b63e53d2910a391e8bdb97e413c25af76e6f1a5e3ef7b
-
SSDEEP
49152:S+rE9uKjA588ZoQsdt2ntZOHPFbCfOXmG1Fe:Do9xMXiv2tZOHPxCw
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2.exe"C:\Users\Admin\AppData\Local\Temp\6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\de4JQ64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\de4JQ64.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj8rr70.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wj8rr70.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC9OK48.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC9OK48.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sN8nU42.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sN8nU42.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Yn7YC32.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Yn7YC32.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Mh58uI0.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Mh58uI0.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2fQ2662.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2fQ2662.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WS51mb.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WS51mb.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4GV994nU.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4GV994nU.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5em9ZI7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5em9ZI7.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bk1Rx9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bk1Rx9.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hB3sd56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hB3sd56.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4CB.tmp\A4CC.tmp\A4CD.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7hB3sd56.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,18184663733918805443,10487679140820827350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:15⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,8634853085317512920,9879186737861609238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,8634853085317512920,9879186737861609238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7784793077509615751,3159001828427390520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1434312225543275371,738342436296127037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1434312225543275371,738342436296127037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x8c,0x170,0x7fff150b46f8,0x7fff150b4708,0x7fff150b47185⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38ef055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
6KB
MD560fda644b83c70d36d50b758dbba8050
SHA19d41e9ea7c90ad4009164d172e4ab5a0fb313945
SHA256529584030b559ca8932e067506fa0c12ac2d26ab0d4d9d456cde76edf55a3441
SHA512ae78f1c4e291268bf7ac88c5c36e6a67a3a3f243a55ed7c4d75ea051ef6a5abb5265cac9e22f7651aecd504257d022b10289062e7d0fff3e01f89f1022dc82b9
-
Filesize
6KB
MD51c6cc9c86f46fa0fac0ffcba93d448eb
SHA14eca678258385195efcd6e5f8c0d72be1e490046
SHA25620ac2696cd2a678ec02c6d690bfc5ab4d84b60a4dfe3ab77f50a6a6fad37200e
SHA512964966212137074dc6ab2f605210387849dd8e23f1f51f68d2061cb93f3c128884a027f3c9281ddc612a65c2981b58dbaf771d6401961a3965cfecafa45fef5c
-
Filesize
8KB
MD5a1e4f8e7a0e2558614088b655e1d8253
SHA1c9a163a08d6838283924dc41a09fc21677066653
SHA256e073a324df69e9581bb928da3c011f8ab0a85ace21521b592c3bf97723d51285
SHA512e90f080f308ffa92c1ef7202e99b6b805db1292f0bc7cdf9baaa3dd1ddde067ffdee933ff25cb35ec8603230bd88da4673451f2eb26f04179f3150511aa58926
-
Filesize
8KB
MD54eac9c2443a224d91e7d14fd0618fe19
SHA1f09e7dd878899f7b9ef8b8ac0f4d6afdcbc3d5f1
SHA2563b60a16f014843404ceb5d93af755255daa49203db06cdc115ca6be6652ba1a4
SHA512e84a8ced5daa69407ab9cdf111db9f10b9445de0923ea8c91b8d6eb5dd6de3ff471c11fcca5bccbbfcb0bdba470a46c20ba61e289448418e7cd15dae432b470d
-
Filesize
8KB
MD5a852f07ce9b48b16c7ed27829436d9de
SHA1c41dff8a77ab8d8d597eaf49d89f66012f1a3bbf
SHA256fd4c8ab4c244a6a3429286810b8390fc78fb062d29c216031ef6aad1c0c7fefc
SHA5125947cf29e853102312d8c0c998228233dba5943976b831358e362c2371611e3030b8533edb8abc38319e5d26830f37533e3c34f6f8c5d0c4312b5fd72f312aef
-
Filesize
10KB
MD5fc8905f47b9af2218b4650bbc9695271
SHA19be6fd99bc49132e2880ca1bd181bc723a573a17
SHA25636bd26374925116210a90567905328d9f380ba9b7fcd76773c109967e7e388b3
SHA512a4b4159b50657f8b0c844d6283dd76e8f0035a6f0bc9911c3d6d91494d843d092e7eb3c3ea6eadfbd493b022e4127b37e0ec3c7d709556ed8e5ef2eba08f29c4
-
Filesize
429B
MD50769624c4307afb42ff4d8602d7815ec
SHA1786853c829f4967a61858c2cdf4891b669ac4df9
SHA2567da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106
-
Filesize
89KB
MD5665d8cc7b7f7ab23858b1d53432cec5f
SHA1f122878f24afed4d642345ba962a0cffb8153df2
SHA256d241c3ae73a550997fbb65c492eff4adacad3cfb13c23696bc2becd87571bc8f
SHA512661fd3bd182aa604e531c91f2c7eaf1c26e64f6f3c73145837dd99a5a72f2871d5d2696abd8a6a620411c8f04b0f445dea1beb245ba2af43064d4a30d7388b68
-
Filesize
1.4MB
MD5aacb0b52bad98ffe1a47515a815091b7
SHA1fc976dfe2c9eb23dda175543fdc67bd426c037f7
SHA2562e442db9bd7bfae7c32c04e5f3e4d88ffb2e23f958ed30162b2a4e968baba1ed
SHA51211c88e03f80a69ceb24310175969833a406472863ebcb089ff2a0983e1f2363f54824df9af42da15218303cb074fea242034df0710f6ce8ea5f9aa13ea076342
-
Filesize
184KB
MD57e028f5471f1f1773aae466d9be1fc1b
SHA1d2ed78e5cbd28bbf4ca234628f6679ce8c225dc4
SHA256fd8d2e2f92640733663907c07aa83e0614fabd2dc83aaa092fd68816cacef60c
SHA51226f43bd41676d85974d0c1b34287f60ba0e9b901b802e2a109b12dec838177fd5fb6cd3cba417bcec847fec9349a721bdf05dd75bbf7a0191c1482d27da72f9e
-
Filesize
1.2MB
MD53e4d98e5deeb8b6f03e17c7ff19588b1
SHA1fba8ea6d9f0e44d4c9f7b9ce6471b3021823c154
SHA2561ee0e92ec005f05b93a2774f3ebb54355383cb98defb6615f60aced6da7c3b22
SHA512df6d4fb0e917eafd6387708e8c6e211e47e81dcbe8a9d773ebc30cc7367ccf6e3325d38bde46faafe5ced14f525bc637ab1d4fb5ae770dc81119db3647029916
-
Filesize
221KB
MD523f373fcb190ebfb2d471ab1e43c7333
SHA114978d7e9c6a0a315e6bdc227d3e41816d202bc5
SHA2566e102a7f2f4acb8bdc0c6910fabcae29cefe99e40301ff27e90b34b76ff2d756
SHA51280bb35374336bffec5c40dcafea4d5dfbfdf1cc06cc90ffc7084355da1f6b0ab91f964a16bca52dc2103698db0b55fda9dacd5492e0664df7382426dfaf8fcff
-
Filesize
1.1MB
MD59243a3d6071cdd7911f466b7d277a1b7
SHA13de23e5c4d19b0591e1656a8d5a81cea8425a660
SHA25666664ecd9a42cbcf9ea96a63780d7452f871b8de09e26e8e1a43d3092d190670
SHA51231d9f868b3e20b79d4ecdaa8b3cc4ad80757368cffae36d67b3e825bf86d0bf93699aed4e71719cf1819c8b088a68d262204d0b013c9b4ed8392d3857e54d2bd
-
Filesize
1.2MB
MD5ec5c9e75ea15963b7a1076f794f6cb46
SHA11dcaf8b4cef91216a1169a18a1f9cf0749e7a86d
SHA256e5d56ec80821c59c288d3438e48f2edf8caedff66dbb021d3c0f6efde573a4e2
SHA51215c592d358616b54184a70ffb2efe07997c8341939101358baff77a745af149034d4a6fc10f1ef16ab9712bd3250e902b68f561a923a42283c90e169bd59d9f4
-
Filesize
664KB
MD5d51c17a95dfe76fe4f1f5e0c7bf1f9a7
SHA1a5f6d0468122071f3f4c65049877292622503c22
SHA256062846f126f04fac4b8ae99c3d783e42bd023f7faa0f9bc35e50cd58a347068c
SHA512bbf4be213c5ef2cc2b6ca801c97137ac185ec291b323cba4422353ab2947aba21e8df2b42b005efdc1d0ba569abf58f3ba10dee0847bb19e4aad3f92c4c6524a
-
Filesize
31KB
MD59d7578973560acaa1a8811c3d5cd485e
SHA158a829e8491cf71ddc1607bba316ea2f46b24f0d
SHA2565ecf1df23ef2ff2027bb90c661e73dd2796c53bb20b968158e5f28a453e2136e
SHA5123c7a07fc41b4cacbebe25e2d83790ade9272546e84c7a5fd67d18ee2940b4a3dec7eb35d400461583f1a7476af72b37316320ee6ee5207f87560f34e2fe27c4e
-
Filesize
539KB
MD52c977372e1fe0ba499b45b0b819e438d
SHA1c29cf0ca0528bad2d4e0f80688685e45071543ce
SHA25690fa4696d36c55efe8f263582d6bc3c66b32913ff951823ebc88d6d6ca13790e
SHA512ed2e5b05aa9ba0cec954d1bdb1884c7b1ba0a5915b14ca413b296c034138c797dda5b892343087fe95d780e9338eb10bf2f765f435f092a47247fcb6bc341ff1
-
Filesize
933KB
MD555e62d273a63d9ef05c2f23c65bc538e
SHA113b57683435a530b1380eb140307b1b3680d8844
SHA256d79c9e89d6939d8c1edb7bff535b038e4e06ab5fa7be8ad3999f0cfb5ccc384d
SHA512cbcd8c9d0567c3e0f72e4de0b1aadbdfeed6420c5f74bcb5ebbd699bb789f0137b0fd5ccf35262a8588abc9c807bb3a0f7579202c1564aced38d6af6a9749234
-
Filesize
1.1MB
MD58ce29c72b8f51d35cb16469edc09323f
SHA1a3cc884cfecfa400a0a2cd9804c61d1de9444bc5
SHA256125f4f6b9b78b57416bae38b655096abfbbfe61337e43b73840f3b72f070ea52
SHA5121063ea1597e1c0248df5d1673139bf672d96c89297fa497a262f73e7da62b67889c3655f71445fa5cb15d187d47f00fab3e63eb737d395147712cd600eeaadbb
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB