hxxps://gofile[.]io/d/kQoB54

Resubmissions

18-12-2024 12:18

241218-pgqceazlfn 7

18-12-2024 12:17

18-12-2024 12:16

18-12-2024 12:14

18-12-2024 12:09

Analysis

max time kernel
46s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/kQoB54

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Steam Accounts Checker By X-SLAYER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Microsoft Windows Protocol Services Host.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Steam Accounts Checker By X-SLAYER.exe

Executes dropped EXE 4 IoCs

pid	Process
2384	Steam Accounts Checker By X-SLAYER.exe
1600	Microsoft Windows Protocol Services Host.exe
1496	sysAcc.exe
1376	Host del servicio Monitor.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	sysAcc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe	Steam Accounts Checker By X-SLAYER.exe
File opened for modification	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe	Steam Accounts Checker By X-SLAYER.exe
File created	C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe	Steam Accounts Checker By X-SLAYER.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam Accounts Checker By X-SLAYER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host del servicio Monitor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1600	Microsoft Windows Protocol Services Host.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
1644	msedge.exe
1644	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
860	msedge.exe
860	msedge.exe
1600	Microsoft Windows Protocol Services Host.exe
1600	Microsoft Windows Protocol Services Host.exe
1600	Microsoft Windows Protocol Services Host.exe
1376	Host del servicio Monitor.exe
1376	Host del servicio Monitor.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe
1496	sysAcc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	7zG.exe
Token: 35	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe
Token: SeSecurityPrivilege	5052	7zG.exe
Token: SeDebugPrivilege	1600	Microsoft Windows Protocol Services Host.exe
Token: SeDebugPrivilege	1376	Host del servicio Monitor.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
5052	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	sysAcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2164	1644	msedge.exe	82
PID 1644 wrote to memory of 2164	1644	msedge.exe	82
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 4580	1644	msedge.exe	83
PID 1644 wrote to memory of 3288	1644	msedge.exe	84
PID 1644 wrote to memory of 3288	1644	msedge.exe	84
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85
PID 1644 wrote to memory of 4908	1644	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/kQoB54
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdac1d46f8,0x7ffdac1d4708,0x7ffdac1d4718
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1729382804835079185,17024611937130849946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:2220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:448

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\" -ad -an -ai#7zMap14499:112:7zEvent9055
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Steam Accounts Checker By X-SLAYER.exe
"C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Steam Accounts Checker By X-SLAYER.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2384
- C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe
  "C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Microsoft Windows Protocol Services Host.exe" {Arguments If Needed}
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- - C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe
    "C:\Windows\Program Files (x86)\Microsoft Host Interface\Data\Host del servicio Monitor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\sysAcc.exe
  "C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\sysAcc.exe" {Arguments If Needed}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
855112b547f4e8c26fa78cdbe9280135

SHA1
01d6f6bf7eaff500f5d1e8db792c1731a970096a

SHA256
2df17e4752c1c76c02cb0ec85fb5755442b6a71eadbfdbd72696ca9b61e253e5

SHA512
df45e6dd63672855ef9eed0afc9f9f2e19c7747d57c84a5fafd32a48442ca27096e738138c346caa8a93b2ab5068691241fb2a4ccfdec713abe908ad341f03fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
25825d90d1b9ee75a7d57fe258d4e9ac

SHA1
049c359c016e3973f9656acfb730afc97b2c8a47

SHA256
abe59438ea9efc3795399242a90ad5d35b030080e1e0e5fa99cf0ea975608483

SHA512
7c60456d8960d18cfe0a3e35d9b8a2cf5a7ae6a15081362fc81eef4251cb75240f4496216d9458d07fffbdb4158e939da7a0c6954dc17230a70d496f2e3507d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7139b3b2c26b0b6982a5bd124699bab7

SHA1
3e8b0d5b747b7b492ffcd7e532ef54de2d76173f

SHA256
2dc1b99ef36014626766f5378fd29eb5944029756b56b7a72eaf328aea3095b2

SHA512
947474f7abf1183f045d52a905557cecf4d3206c49b2ffa569155ba3e382a9cc2f74577f94538a91e6cdb9c70156aea149ec04ab56a0411da5443699605064ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
211cd872aa919be35c8da3242f0fca50

SHA1
9ba31e9cd8539dbc00e0de04b50fbc17c7b62be0

SHA256
384812d04a6dca3b21ae366094207ff4cc73fdd9b4a2b14cda45e45d433c9474

SHA512
5722cd9b4927e64ce054db67c8e537b986ae4b4805ee1cfecae7659d14df84d478adbff293ae9a2fcada73aef9c8a86e3be8d18d8067ebc533d21db203deb00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4503d9677de70508cbd7604c592dfac

SHA1
bd0160447f688b34f4cd44f5ddb4825b73ce87b9

SHA256
0bd2e4de968101eb514ed5ea6775dbe4c9f952e8636c56bbcf1703327941ec60

SHA512
5911d9333d208970e8a8b4b288aabe37d521ccb70fde62d15213086ca6c4e41c9320ef92d8ff74958d3412a3da292ea2fb851f594f320188285961568effe832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c2e4349d5d073702767913e85aec94a

SHA1
8eff099ead62c65cfd6806d34cc352af4fa39ec4

SHA256
83adf7f8625dfd6ad4ac58823e02c78c27e0f4802525fca6d466a62299d17ec0

SHA512
44b00bb598a01ba71e17e750465e235161c7fe0a828ce4acd5a8b7d26b64757d107d565233c065c7dd17ee857894c33ecf09152e17f6483ff53c405697bc11d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e6b7422d80a889d78cdb68913291489

SHA1
bf18932e850b20a2a5af661da37529193b6b48a0

SHA256
2dfa2d734e3f28049ce0d092576f3c76950ed36e94eae156a1a0bf5af77e7cef

SHA512
dbbc7571655a435db636690cdc2cd932e9a11ef94c2f6fe48818d0e5e7d4795ef4fd83f5df207f7a0304975bd50e10e148ee8b43613c201138827d9e3af20ac0

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.3.5.0\x64\ssapihook.dll

Filesize
66KB

MD5
c74d260d388f5ac3d95d8c1c3a27c989

SHA1
5da009086036004a7c670d608d5e1e923aead568

SHA256
dc1bebb8ce88d59e4b3130c1ff2c4b7f5df2701c7a71b476b8a6f2ed541db628

SHA512
6460db8f73806017d267c0e4e112902956a3bc53853c6a893cff66fe44772305b2c158ef8b58e993806d713aceaddcf2efa7ccf625063678444d3fd20b10546a

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER.rar

Filesize
1.5MB

MD5
df2aa099aaaf245e1125c949431ce534

SHA1
7fff72baa77272e1e314802cca2009c3c2d38936

SHA256
e539ac53241fd8d1d1d80e4b9b97f19cd7bf6fbe9b77fd24da09717c634d3677

SHA512
7de65faf0bd0ae75535d7061910d8dbfedf947d9a374baab6ff7f4643b1d4a64ec5a26d6f534cd79808e33e9025bb61cd79c3cbfb3d0d0b007289958173eea4c

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\Host del servicio Monitor.exe

Filesize
8KB

MD5
94e8ba6252cd134661b36ed83b205c8e

SHA1
c5f1febfd6330611e54b98d71b289797956c6f61

SHA256
1da772efd33f6ffdb470ce076f3f5db87f8691b980a2022b111b859c0adc2ab0

SHA512
9916c7de85fb123279c02ecb637ee2dc3286f4e65e82b1a66067a2475bc294a2d812a67b973758411a93dbad87dbd5703d4eb56139a5db93e95484b2b887eee1

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\Microsoft Windows Protocol Services Host.exe

Filesize
9KB

MD5
cd6242455e74beeef78e9954e4f8f4e6

SHA1
7ae8910bad2d80c9305db4e14b00ed70f501a7ff

SHA256
35eafbf9d0b2aeb388c7bdd133a08bba856c3569734824a6926754abd26b28e1

SHA512
bf3af18ac33e7627fe632f0f285b32f661f6de3d9ebf2e3ec39b387b256fab6743e3ec191f786b5066acc4a73959d8dece66ce08a1c26cf52e797d24e979f129

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\SkinSoft.VisualStyler.dll

Filesize
964KB

MD5
2d84a619d4bd339f860cb48af0c9b6c8

SHA1
05e520126ee1100c98263bfbd5a6ff0ce6ace4f7

SHA256
365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1

SHA512
bd0c5e8b018ae393a5f2b92b4a10b5b674ca466074d18b4f86b12cbe9a6a520a95323146cb8e5226b1698f14efcc63addf0df421677b7f5ba3c8d94dbcb511d0

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Data\sysAcc.exe

Filesize
753KB

MD5
559d0fada4454a2d16a4109dc49be8e0

SHA1
cf1a1b3845052a2051f6f2c0d80f232ed3fbb1b4

SHA256
c4fb143c793502192f663e4ab8670b7a672b62b8b6babb942af04ad8825e793d

SHA512
76dbfab70162a306ba4e0cfbdc260ab2128ae5895085d2de619ab68e59c3bc2ac0d08b4d39304945d68dd4947fecb6226e664be2bdb4a34389cb16e4488d34cc

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\Steam Accounts Checker By X-SLAYER.exe

Filesize
173KB

MD5
4c0fe11cfa2674861be72820ef140d64

SHA1
2244bcf0819a3c4e45ee43705b575e98699e3463

SHA256
24f5f762d94c6535e54fa966282ecdcbec1608909edbbbcbdcd7dae297f6f51e

SHA512
8fb89b648e067f1c3bca52ca40f3bb6a4faa7f0f242b428b1700e110204197c0f5870ba26b8a58cd6778ae6ea4218c2ba0f85347b36d94d0333beac5b4b84ef4

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER\Steam Checker by X-SLAYER\xNet.dll

Filesize
116KB

MD5
3df8d87a482efad957d83819adb3020f

SHA1
f5b710581355ac5d0de7a36446b93533232144db

SHA256
2ac175b4d44245ee8e7aee9cc36df86925ef903d8516f20a2c51d84e35f23da4

SHA512
da28c34a85a6530b1c558fa11b0e71e70710d719cd8ceaf81f954d1fe3927ec139bee6c5f3135425cc5220905240f1a31d831611c46d18f5d52600b607ea59a6

Download Submit
memory/1376-258-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1496-274-0x00007FFD3A4D0000-0x00007FFD3A4D1000-memory.dmp

Filesize
4KB

Download
memory/1496-269-0x00007FFD3A490000-0x00007FFD3A491000-memory.dmp

Filesize
4KB

Download
memory/1496-283-0x00007FFD35950000-0x00007FFD35951000-memory.dmp

Filesize
4KB

Download
memory/1496-282-0x00007FFD35940000-0x00007FFD35941000-memory.dmp

Filesize
4KB

Download
memory/1496-254-0x0000000000500000-0x00000000005C6000-memory.dmp

Filesize
792KB

Download
memory/1496-255-0x000000001B320000-0x000000001B416000-memory.dmp

Filesize
984KB

Download
memory/1496-281-0x00007FFD358F0000-0x00007FFD358F1000-memory.dmp

Filesize
4KB

Download
memory/1496-260-0x00000000026D0000-0x00000000026F4000-memory.dmp

Filesize
144KB

Download
memory/1496-262-0x000000001BB90000-0x000000001BC88000-memory.dmp

Filesize
992KB

Download
memory/1496-280-0x00007FFD3A540000-0x00007FFD3A541000-memory.dmp

Filesize
4KB

Download
memory/1496-279-0x00007FFD3A520000-0x00007FFD3A521000-memory.dmp

Filesize
4KB

Download
memory/1496-268-0x00007FFD3A4A0000-0x00007FFD3A4A1000-memory.dmp

Filesize
4KB

Download
memory/1496-270-0x00007FFD383C0000-0x00007FFD383C1000-memory.dmp

Filesize
4KB

Download
memory/1496-278-0x00007FFD3A4F0000-0x00007FFD3A4F1000-memory.dmp

Filesize
4KB

Download
memory/1496-271-0x00007FFD3A4B0000-0x00007FFD3A4B1000-memory.dmp

Filesize
4KB

Download
memory/1496-272-0x00007FFD3A4C0000-0x00007FFD3A4C1000-memory.dmp

Filesize
4KB

Download
memory/1496-273-0x00007FFD3A530000-0x00007FFD3A531000-memory.dmp

Filesize
4KB

Download
memory/1496-277-0x00007FFD3A510000-0x00007FFD3A511000-memory.dmp

Filesize
4KB

Download
memory/1496-275-0x00007FFD3A4E0000-0x00007FFD3A4E1000-memory.dmp

Filesize
4KB

Download
memory/1496-276-0x00007FFD3A500000-0x00007FFD3A501000-memory.dmp

Filesize
4KB

Download
memory/1600-252-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2384-229-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/2384-236-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/2384-230-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/2384-228-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/2384-227-0x0000000000860000-0x0000000000892000-memory.dmp

Filesize
200KB

Download
memory/2384-235-0x0000000006950000-0x00000000069C6000-memory.dmp

Filesize
472KB

Download