Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/viniyan/Fluxus-Roblox-Executor/releases/download/Donwload/Fluxus-Roblox-Executor.rar
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/viniyan/Fluxus-Roblox-Executor/releases/download/Donwload/Fluxus-Roblox-Executor.rar
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
703
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 38 IoCs
resource yara_rule behavioral1/memory/2696-167-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-175-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-179-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-178-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-174-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-173-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-172-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-169-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-184-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-185-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-181-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-180-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-192-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-193-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-233-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-245-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-250-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-244-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-239-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-238-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-235-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-232-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-227-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-226-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-221-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-217-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-215-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-214-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-211-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-209-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-208-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-203-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-202-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-199-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-196-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-220-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-205-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2696-197-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Flux_V7.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Flux_V7.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Flux_V7.exe -
Executes dropped EXE 6 IoCs
pid Process 3752 Flux_V7.exe 2696 Flux_V7.exe 4236 Flux_V7.exe 4144 Flux_V7.exe 1728 Flux_V7.exe 4896 Flux_V7.exe -
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 api.ipify.org 67 api.ipify.org 51 api.ipify.org 52 api.ipify.org -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3752 set thread context of 2696 3752 Flux_V7.exe 127 PID 4236 set thread context of 4144 4236 Flux_V7.exe 135 PID 1728 set thread context of 4896 1728 Flux_V7.exe 142 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2116 cmd.exe 2748 PING.EXE 4824 cmd.exe 1544 PING.EXE 4604 cmd.exe 464 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2748 PING.EXE 1544 PING.EXE 464 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 388 msedge.exe 388 msedge.exe 2700 msedge.exe 2700 msedge.exe 3916 identity_helper.exe 3916 identity_helper.exe 4132 msedge.exe 4132 msedge.exe 2696 Flux_V7.exe 2696 Flux_V7.exe 4144 Flux_V7.exe 4144 Flux_V7.exe 4896 Flux_V7.exe 4896 Flux_V7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4868 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 4868 7zFM.exe Token: 35 4868 7zFM.exe Token: SeSecurityPrivilege 4868 7zFM.exe Token: SeSecurityPrivilege 4868 7zFM.exe Token: SeDebugPrivilege 2696 Flux_V7.exe Token: SeImpersonatePrivilege 2696 Flux_V7.exe Token: SeSecurityPrivilege 4868 7zFM.exe Token: SeDebugPrivilege 4144 Flux_V7.exe Token: SeImpersonatePrivilege 4144 Flux_V7.exe Token: SeSecurityPrivilege 4868 7zFM.exe Token: SeDebugPrivilege 4896 Flux_V7.exe Token: SeImpersonatePrivilege 4896 Flux_V7.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 4868 7zFM.exe 4868 7zFM.exe 4868 7zFM.exe 4868 7zFM.exe 4868 7zFM.exe 4868 7zFM.exe 4868 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 552 OpenWith.exe 552 OpenWith.exe 552 OpenWith.exe 552 OpenWith.exe 552 OpenWith.exe 552 OpenWith.exe 552 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 3776 2700 msedge.exe 83 PID 2700 wrote to memory of 3776 2700 msedge.exe 83 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 692 2700 msedge.exe 84 PID 2700 wrote to memory of 388 2700 msedge.exe 85 PID 2700 wrote to memory of 388 2700 msedge.exe 85 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 PID 2700 wrote to memory of 1456 2700 msedge.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Flux_V7.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/viniyan/Fluxus-Roblox-Executor/releases/download/Donwload/Fluxus-Roblox-Executor.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cc2246f8,0x7ff8cc224708,0x7ff8cc2247182⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5820 /prefetch:82⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,18408951316229092883,16059120767694752649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1704
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:552
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3848
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Fluxus-Roblox-Executor.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4868
-
C:\Users\Admin\Desktop\Flux_V7.exe"C:\Users\Admin\Desktop\Flux_V7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3752 -
C:\Users\Admin\Desktop\Flux_V7.exeC:\Users\Admin\Desktop\Flux_V7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\Flux_V7.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2116 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2748
-
-
-
-
C:\Users\Admin\Downloads\Flux_V7.exe"C:\Users\Admin\Downloads\Flux_V7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4236 -
C:\Users\Admin\Downloads\Flux_V7.exeC:\Users\Admin\Downloads\Flux_V7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Flux_V7.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4824 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1544
-
-
-
-
C:\Users\Admin\Downloads\fluxsus\Flux_V7.exe"C:\Users\Admin\Downloads\fluxsus\Flux_V7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1728 -
C:\Users\Admin\Downloads\fluxsus\Flux_V7.exeC:\Users\Admin\Downloads\fluxsus\Flux_V7.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\fluxsus\Flux_V7.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4604 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:464
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5c2ee54f57513bb20bb1c941f42b8a78e
SHA1d465cf94326ed8f36b581249ebdbd12399b48f79
SHA2563443e208e0b9a0bfe909406117e0399eec15055c973c971b1550cf7a1cacb358
SHA512e1d4d1e9aab9dbb7d6901711b0340b1a6667629986afd1c564e1bef8b154a9828184f3187ce9dcd33f1240cad833a7eb8c9232b782ca6302310deba72031f964
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5eaecce51450237c0ce5eeb567e31b736
SHA16c51d14971b926dbe4e54f9768965613d664ca01
SHA2565050e66f6dc9732900f0f52c461dda601d91b099c674082bcf6e8d6d051e8f7d
SHA512e00a5a816f8d81dc6e8f6f12f4afbfb88f9f5c9a63d9a4cd64a4394662e8f01f0207b26e41415f11bfa321a60b5b1db1b0ae2391cd99b5e4c0bd5d6f6d23bc3a
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
6KB
MD5b5b38af3a402dee7fb496daadf51d657
SHA18c6136f48129b7c02b017779cc5b9abfdcc16fce
SHA256367cb4205d2503834749020783b45e0ae0e028fc94db189c0b4ac874858590c6
SHA5125cf213063beda2dfd9c450e31b8784e3590bd22b6dbf9c8cca75bd9e1262cf950cdb2099c3d75b70de529d9be5a431b85ab9904d7dad4b0a7464154a851b36d8
-
Filesize
5KB
MD513a683cd66720a097f0472f3a79585ce
SHA13f1c92064f3b0264712c21ee5f5d1100f59f570d
SHA256a73b456e9dc815e8f36ab4815726c7303351015cb85c95be0c4203f87b23a3da
SHA512759cf109736cf9618994d20d2275c7210c14e5261fd5979925fe1a6a0294d9d09fcde7e7b4af1acacb852088c0c91f92324ee034c4222b7d65849bfb53649a7c
-
Filesize
6KB
MD5b481a994fd758801f581bd8a1a4a8629
SHA15f26bf1c1dd063bdb2b833b9bde0f7f4a6b01fda
SHA25682c2c2f7889e4ebc46aa812d75ad052651388c79463cba33d63c3428649f28f0
SHA5128b4fea0e11c8f7a9327200a91deeb801cb2eda45f8836580f917c37b958dc6ea8f766c3e7c617c0905e6dc3d51663f6e2234498c4dc1eb2630f8903bfa8850b5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD55bdc2b5c4c578e11dc0fbb92dedd5a1f
SHA1f7d9a49460e9294cbeaed48ea1c79ac8cb0b97b1
SHA2563a9b6277e8e033d92d1939d81c02780c05e423c0e012d7e78ce77005405eda60
SHA512a2f651914dc2231f131637420fdc0a717abff6b410ac96ba734cfa993b06efdcb7ad1d5b38311ee9e004d3a1f72e8ea5dea0189bdc8ef973e98eb6e6f5c16a67
-
Filesize
10KB
MD5a72958c7b6ddf4373adfd9345c510847
SHA1e758e1949684340c86d00b2bfa43829aef25de96
SHA256054a794e68976e6ab4343bf99eda6c2e60c722a65c569e667f9c7210a9f8868b
SHA5121a437352cd2548edeec5e5bd851ee5079669d8b953c352a3fb8c98ec0dd11eada0de4b9a41d9fe711ecad0917b76f3209d55ed35cd0a2a5118eedf4af7ac537d
-
Filesize
3.6MB
MD558f337f931453d2e3843e8ed56b48fcc
SHA16201eedc65426facc0540b4dd4916dfc2762177d
SHA256031d4f89c20dce1f7bcb864b871c8da470231d5ff6cd9d0b4d47b80fb6c3451d
SHA5128642d6e1baa0309fe7e0eca442e5e9483aafcc270bd05f3a93a73c6a1532aee74460e29c195f248f5920b05f912cb40ee59d5159e310e3d749184a6d557505ea
-
Filesize
4.7MB
MD5aa4a94fe600f76fe7afd6e05e24dcf44
SHA177a59599d4a50664fe9d16f6569f84c4389381e9
SHA2569bf6c1a87bb22f0703b012fe12ea3577777002ff4ecd9b3794d3bc4d9d862413
SHA5127c9b1b3915ad463825632bd33514c15d9f776555ee0c1f3b4d6992b6d3e6c7161f3fb875c4635ef242e12996de77d8848ceca36026856eb463aa92bd8604281c
-
Filesize
46B
MD52ae29de9b7d4461b6f7415750aca2284
SHA122d36a3b2028286f27115c100e8e129e36779424
SHA2565e220c9d9530749e955f93e4069d074a87e16cab38afbe1d37023194ed69f9d7
SHA5121cdfe1802c780a6c4c287ef8da0ddbba6f77a76e5e9e17811255851e92acab7fe8fc6a55fa20c30a1869f89aaa3c28e97106e3a99778955d634e4250d3ad20d1
-
Filesize
295KB
MD55c108c4da6d03f0fa2c3b4dc7890cb52
SHA148af67b6166068b6f138306bbd1157c7583c6e73
SHA256b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8
SHA51248d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b
-
Filesize
142KB
MD595f46f34c099421d917d5feadbb33edb
SHA13d1cb9cf59000012734901a35baeb3d9c1dd5db3
SHA2568e77a1dd5e2df4d4af801376cc3428b082eb49fcb6e647b933967fae12ad9d5d
SHA512c9c9f72980316c68ad2a8dbe2c6c563c0deddfc9e845674d0e2f5313a0ae285d60a755e2ca04164f78b37a36521259307b3eb7d43f5ec9a9de5507bda7e4c1b8
-
Filesize
359KB
MD5f2f6f6798d306d6d7df4267434b5c5f9
SHA123be62c4f33fc89563defa20e43453b7cdfc9d28
SHA256837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd
SHA5121f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211