Resubmissions
18-12-2024 12:18
241218-pgqceazlfn 718-12-2024 12:17
241218-pf4hmsylet 718-12-2024 12:16
241218-pfevaaylb1 718-12-2024 12:14
241218-pegbqazkhp 1018-12-2024 12:09
241218-pbmdkayjf1 10Analysis
-
max time kernel
37s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 12:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/kQoB54
Resource
win10v2004-20241007-en
General
-
Target
https://gofile.io/d/kQoB54
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Steam API Cracker Coded by MR.ViPER - v3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Microsoft Windows Protocol Services Host.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk Steam API Cracker Coded by MR.ViPER - v3.0.exe -
Executes dropped EXE 4 IoCs
pid Process 3552 Steam API Cracker Coded by MR.ViPER - v3.0.exe 1684 Microsoft Windows Protocol Services Host.exe 4396 SteamApi.exe 4428 Microsoft Windows Protocol Monitor.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Virus Total\desktop.ini 7zG.exe File opened for modification C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Virus Total\desktop.ini 7zG.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe Steam API Cracker Coded by MR.ViPER - v3.0.exe File created C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe Steam API Cracker Coded by MR.ViPER - v3.0.exe File created C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe Steam API Cracker Coded by MR.ViPER - v3.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Steam API Cracker Coded by MR.ViPER - v3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SteamApi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft Windows Protocol Monitor.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1684 Microsoft Windows Protocol Services Host.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1260 msedge.exe 1260 msedge.exe 2444 msedge.exe 2444 msedge.exe 1832 identity_helper.exe 1832 identity_helper.exe 3972 msedge.exe 3972 msedge.exe 1684 Microsoft Windows Protocol Services Host.exe 1684 Microsoft Windows Protocol Services Host.exe 1684 Microsoft Windows Protocol Services Host.exe 4428 Microsoft Windows Protocol Monitor.exe 4428 Microsoft Windows Protocol Monitor.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 1004 7zG.exe Token: 35 1004 7zG.exe Token: SeSecurityPrivilege 1004 7zG.exe Token: SeSecurityPrivilege 1004 7zG.exe Token: SeDebugPrivilege 1684 Microsoft Windows Protocol Services Host.exe Token: SeDebugPrivilege 4396 SteamApi.exe Token: SeDebugPrivilege 4428 Microsoft Windows Protocol Monitor.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 1004 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 3616 2444 msedge.exe 83 PID 2444 wrote to memory of 3616 2444 msedge.exe 83 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 3356 2444 msedge.exe 84 PID 2444 wrote to memory of 1260 2444 msedge.exe 85 PID 2444 wrote to memory of 1260 2444 msedge.exe 85 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86 PID 2444 wrote to memory of 3612 2444 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/kQoB541⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff160146f8,0x7fff16014708,0x7fff160147182⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:82⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3892 /prefetch:82⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14628866687827436472,16530987266149598596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:3300
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2796
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\" -ad -an -ai#7zMap18236:112:7zEvent72101⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1004
-
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe"C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe"C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe" {Arguments If Needed}2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe"C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Monitor.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
-
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\SteamApi.exe"C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\SteamApi.exe" {Arguments If Needed}2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD594f193f626fcb62536c927ac17114599
SHA1b624c44630c6d4ca4cbe2a19e36ea087c08c605b
SHA2567659151ad533d38b93e3e75df767b65c2f5177ba6bc946b842c2b0b45eb30391
SHA512e48c3aba39f6d3e58d9b936ef7019a90e9b53c33877af4ffd0e4d884dfc0741e2d37bf649851d5f5cf757d23118cfdb72aa151804b887cacc0e71aae5e59d127
-
Filesize
391B
MD55c859d9288a60d235b3cad2c36ab5670
SHA1e51cad875defee4028accce6de5bde1b6ca94dc6
SHA2563f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517
SHA51224c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e
-
Filesize
5KB
MD595d9d67592ccd2ef1301c9416f879219
SHA19fe820c7d7344429146806ec21be826afc6f5e99
SHA256ddcf7164e17a27a0bbae24b165beced0f1d90fe4be3f9691670f1812ced1da4f
SHA512bcd08710900a70f2ce2f33a914c1083b2f46c566a1ef579df8e421104f6524e3288029e8b2424636f2e724637b1c1314ed64c55ddfd9ff85fcf8e3e336fa994c
-
Filesize
6KB
MD54bb2a5efac2d10642b88f9d943c13ce3
SHA10d8a45cf50f2e82e6df0bf05c84a6867bfa8bd7e
SHA256fe196f497a39d878f17dba47ee7d936f88ab8ba0efe0f9a409c287198144edff
SHA51286f139497f555c478fc1365e4a40bb99f924b807c18c4c0510074dd3aa049650cb8299924ebfc538fe0637aa68f7f47a70a4602f175575e07dcd9cf277200ec7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5619758ed8a601987aaa1b826e5b0e688
SHA1134234b860c533ac4c0eab482c5c96ebf28bc665
SHA25677d48a3cd046763bade288f51a928fc97097a5e0c9ca0bb227271beb283d2dab
SHA5122e0688b619fde15540b19849f9e738aa846ff6a7cc640e39cfc9eb629a47ae7fb38d27dfd21f7a1b8d488f846034409131446f56427135490c676f4a076edafe
-
Filesize
10KB
MD54e42603b47b39a708ef10c1f6b8a892b
SHA1183f8ab78893bd919eb3728a001a25e7ac2b7a97
SHA2561c20cb3a7c1dbada89ebb9af87657e9bcc2595b49b5f8440abac9ece68791be0
SHA512092bea7b315d89d47a69fe431269188e9532a5452d1b59d774165cb02d771d5603a9983345117895a6ed273104d30e91c49c4ea7d3a5138cc4e3c0b3dac5ee4c
-
Filesize
1.8MB
MD5659ccac29a8ef6a918146e1585ed4288
SHA1a06ebb0d13ea282bcc75b7bc8696cedc0a242696
SHA25647715294a4a85e5308a26b046bc13768f3e300911875ad92b8506aa154ef1a61
SHA512bb466106d7485dba2fb193186a771cfcbe85d2b6d1ec7a70040c8b4d4238b9ba7d101ca3aa6d294fd1f399b3596ce70902c72bd4407b1b7f0447b8166bbfc695
-
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\Microsoft Windows Protocol Monitor.exe
Filesize9KB
MD561fce223872024b0ecb0bb2a7ffb7c47
SHA1f893d620f9d843c8bdb86a0375f856508a6ce136
SHA2564b5069b9708a8e97b17af6aa96cf2112877a675b4dbc1f6dbc2601b494b35d11
SHA5128926a5f7d6aa862351044d79a634decda989b50ad422ba3e9a97c573ff618a8314607a7afe093925f56d87861eefb31d3820d9e02b1cf2847c0e6072880ac192
-
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Data\Microsoft Windows Protocol Services Host.exe
Filesize9KB
MD5b90f7cd95e2f8ffcf180a4c96be66014
SHA14fd7eeb26b6eb7227262d0d8cf6fac947a9ff231
SHA25638a61d517c08fe4da2798c9a42d5bde4bbadf3758cf70638709a3eef5079e8e1
SHA512e83d9d8971a2374d5694fd8a45814f1307f891b8dfb2bdda80911948b762bcedc9de236462caf88e3398c3287a00f08db9274f5739a1f9259ef8de0aea018795
-
Filesize
1.1MB
MD5428b193b299abf00ffb17a13e3485ca3
SHA1d22e03b1abaff0e862bb371afade0a9103364e03
SHA25607a95c611eeca43f18c36211ba9a710d5dbb59f4339ed1faac1523f31107a092
SHA51242b007ff51052c5b643760fb8490bfe717fe9ee146be5b301db0df8dfa65ac61bfd1829445e0b0237150db003db1f5eb5e82fe3e47b26c5b337ae36d5a61de33
-
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER\Steam Checker by Mr.ViPER\Steam API Cracker Coded by MR.ViPER - v3.0.exe
Filesize13KB
MD50bda6a46010a4798858b725d4fad4394
SHA1056e416d1802f0b2a7618caaba58439dbc10ff5c
SHA256b90901e5f167d0631bf924e4d616881c91a0f2cc3c6f498f4f0f896a6ffb46f9
SHA5121bd6951193166cc661a0742c9b1c6a03c5f25a20d8185e2b307565822a06d01caf3efa8335d3b7f6ffc4bf3c9c02a22f46d42635f0a0c49279690d375d67c6e0
-
Filesize
116KB
MD53df8d87a482efad957d83819adb3020f
SHA1f5b710581355ac5d0de7a36446b93533232144db
SHA2562ac175b4d44245ee8e7aee9cc36df86925ef903d8516f20a2c51d84e35f23da4
SHA512da28c34a85a6530b1c558fa11b0e71e70710d719cd8ceaf81f954d1fe3927ec139bee6c5f3135425cc5220905240f1a31d831611c46d18f5d52600b607ea59a6