Analysis
-
max time kernel
777s -
max time network
542s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
31-01-2025 12:44
General
-
Target
LiquidBounce 2025/Liquid Bounce Injector.exe
-
Size
349KB
-
MD5
1166bb4123351851bd9a283654a51cf2
-
SHA1
2c53441f4df33453c26474fc3a01815d466b7ac6
-
SHA256
5dc4cef5041077ed2feef605b9db580efe0b3bcc86823aef08ab3da19c5e8797
-
SHA512
c62b8c3bf41ca424fe2e5e37057bae1273d533270e52a11e72aca3a35c67fc90fad4aaeb92317fe4c72e7480ebed14e5e9099f254a1beb24fe1c9c4131b86687
-
SSDEEP
6144:XcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37Jeb:XcW7KEZlPzCy378b
Malware Config
Extracted
darkcomet
Guest16
j4n6foy.localto.net:2596
DC_MUTEX-1R3S01Q
-
gencode
k7nfzKERaShh
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 44 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LiquidBounce 2025\Liquid Bounce Injector.exe"C:\Users\Admin\AppData\Local\Temp\LiquidBounce 2025\Liquid Bounce Injector.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Liquid Bounce Injector.exe"C:\Users\Admin\AppData\Roaming\Liquid Bounce Injector.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4881⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffce117cc40,0x7ffce117cc4c,0x7ffce117cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1992 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2032 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2296 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3204 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4616 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,15076527046907155568,13422263534412453690,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4888 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1864 -prefsLen 27199 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0d8dc78-99d2-43a2-a839-090bdf8bd3c8} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27077 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66946bc3-f05b-41c0-82b9-9574d3b45e3a} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 2988 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f317c9ba-b2ee-4c05-a002-46dcf94e45d1} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3352 -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 3432 -prefsLen 32451 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a22337a-d6da-4407-9d94-900fa9b21739} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4728 -prefsLen 32451 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee58819-1e6b-4391-a8c5-29a635a6ce08} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 4936 -prefMapHandle 4952 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b1f6a7-d702-4d9a-a91f-9df729e2708c} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {523fefc2-457e-4f99-ac8a-4a3bae32eb5c} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5512 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd591aba-0c3a-452d-bee5-62682b72708e} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ReceiveCopy.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffce0f646f8,0x7ffce0f64708,0x7ffce0f647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11238529187999396606,4076904100397793271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 28562⤵
- Program crash
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1152 -ip 11521⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StepExit.cmd" "1⤵
- NTFS ADS
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51f09e489c5deefe9378c76ff031fb95f
SHA1e4497e7a8cf27c30060c58ea5255ae47e3705bfc
SHA2567dd0b078c88b464c645d1dd99073bec90ff4eabae9aa7efeb5da84b344d37d20
SHA5126304daa45ccb0b2809f54fd0a5c134a584588818e4c5157c50850dcf5f4e4762121a6660130cdb616b5c06e03ac2981aaca7ab4d3a3d8865a5cbe7ffa1a40744
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5e96ff20dc6002b3acf1ddef1618dc110
SHA1a45d65a603162b3433b6dff0ace08424944302f8
SHA2565362d8b7001169d7c4adbab8873c1c67f528e2b8752d1677cec5828587bf8975
SHA5127ab7f509c76cdbfaed2d6bb87b94dbb8be4d06d5451a05efc724c55cfc92599fba0ff1825bda7e997b7808b10a057e6b106f334d819bec866949613830321c04
-
Filesize
8KB
MD55c0174304f37bdbd8158c0a3ea5cc294
SHA1a96cd6380f2756a479c2c6229859920d021173a0
SHA2561689eb91f14041f27f453bcbca785081239946462bc8a9a7a124d5a073a15417
SHA512cc4ae8a0aeedbb1fc899d2e6e1e536a1d505eb6e4920342f6de4379245f37e4cf8700c3e05849047eaa01b502f3b502d73415f3fc4dd4b3d150085c897fa69cd
-
Filesize
15KB
MD5f2d1c6e665c501593bf33f5dfabe86f4
SHA12c6f9a432f9036fdcd77afaf1b8c6e2244c3b84a
SHA25696188067894056a09c467b65053b8a7d8dfc84c45aaedac9246167cfe35ae586
SHA51295b160364442990288045ff5dae6c2583c9a15c84369461d94e33b2fa18d0256ece4a9d771106e6311de1da5f5a9c0fb8ef8c8764ad0f5d1f1a6979f27970a56
-
Filesize
122KB
MD541635636bdbf6236220c27be5af2012b
SHA154f6ce5d4caa0ca3448a9923edc0184a8c5a4cf2
SHA25646d6253c448f269ca73f01f80eb8a817e3de7e90c533c86c44e8d1781764e873
SHA51266a1314ac55d0d737076da41c2eeff9a72f06924d95573890002c759f52c1abb840126f542c8c1a14487ce26edfb7ce5260a00c2b140d7e41e5e3ff1068ee849
-
Filesize
243KB
MD557d7072266c348bf7d840b67f543faf1
SHA17c5910330c73a6a9a0c00c82d787ad6866033f96
SHA2562f2e5fff12e9ecab26105be5ac085c40408fdb0dd2889ada48e8097cb5bf7427
SHA51265c3b9f497b89b81067e58d3f30f75b37b53ae9f802c4d0281cc328199a67771c2f97e00e437aff6745b9f35cbd22f035e5e47443d83057ddbf840ad4d7d5515
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD58fe50664fd38239e8c01b75122cc6b3d
SHA136d011ccd6e5ce47ad0e69559c782d6482e6cf4c
SHA256c7be861be90fd1a2b4df96b30c8b39739d99f945f79d21bef4eb7481358bfb0a
SHA512f96af6111881853330c9c8816a354faf8946c97cc56e04b0de9a764a40f4541dd4b59c82a8db8c243f059c386e680f8c1f010c34f6da0cdb6fb1fa4de81afd85
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD507a6ba86e9a9b8f68a9d15d0744a52b3
SHA15382ebeae5dfa8ef7aa879e312640591b1a2c2f5
SHA25632c3a87f573e1368477a104eb1b063f59e91c12fe104a7f0e6d5918330b86468
SHA512d535e602514652d7d55b93ce00fea8cc500f65fbc1cafa18a1387f071fe07227b27855032cd0277d2623d5b802f062283df161704aab68175fe171648444362d
-
Filesize
5KB
MD536285383559af32f53abf789d6844ca3
SHA1679e0e149e1c5983b07b8105e47eeaad5c293ea3
SHA256803081108ad7f6706f8d9905c8ffef0bbf9c01e27253c8a0e7feb007cde4e6f9
SHA512821230489ead3ad739c80265bf8ed3981869afb4a21ceea54869ae13c60c8644c407aa3be7c1518b39fb89d1855205b36d34f022d1fad8ed7bc1fcf19f583e95
-
Filesize
24KB
MD59916595e42c060c849f2764ec3f7ac87
SHA14272a9cc38bbcf96a5bcfaf29b4cfd6f2831bab1
SHA256dc8e3cb64e4da9a5f7aa6bcc63f8d3669e6bfe6cbbc04239ee37bc708cedf36d
SHA5127024068caab366bcefac6d5d0bb15346fc636753ddabe51e9105fb4c81b4ace304f3fdb51449f00bec3e70fdd62aad5fc612cc40964f7a686a8bb0f17117c227
-
Filesize
24KB
MD50b525f58520a1eb1c712238e64e3769e
SHA1b7c59b36a09c5a74439581049e5167ef1885b6f6
SHA256dd91a04814f5da46c532ac9c65e72783fd2c54fa4881756f073382465e8f5da7
SHA5121c5e2837b429bb83e487dcc33142d88c9f3b224389c5afc67c77e5904b447b87c7e206d69d9f35386e3ad9ad1ceff159d4486eb64cefc854a6fdd1f17a01429e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59dcce69f034b900ce72271c3bfdd2c62
SHA17bb676b9c3cc998faf454479e5896cd06a078897
SHA256e8e0f4f2cfeadd921486d8a8d0d3f5d559ef61bda9929cd781a1e5b9bb56cb6e
SHA51291c360c3664da223b2b306fe8d3b793270196a8f415786cf84e0eb04681adbadadb9355b9b26e243b3d542bd603e5787d4939a3911888b1fa823364159681e98
-
Filesize
896KB
MD5d77ecf28ef6d06c2344889429ccd15b5
SHA167f4f6709d4a697477e8afd81ed824a251f1325e
SHA256723fb5686f25f6edcab0719f6aa6bd331b861addc6710de1e722669e7e5288ed
SHA5121331c3886c4f3fe671611d3f4bc1e1f7679394b913f723bd5bb35d852f83adc064dcb1511547ffed1cdf746d0358805415db45aa6570996b777942b5189a0764
-
Filesize
1024KB
MD5113f51876f60f1982bc4a8119cb36a22
SHA12324eae07f652dfa79144fbe5b65bbf871bc80c0
SHA2565c32d01733249111f28b01e2111d1c99c3dc301f6c0551de646ac9139eda3459
SHA512fa03ca6c54ce0b0ebeff1fd74ea302c98e2d91f585fefaea1fe6bcfca8a617676982b87680425a50488a1a934144c1eefb4a42f42c654e1ec4f7848639c40fba
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
22KB
MD517c29327f0d77d7dd70d1822e10de6d9
SHA1dada04ea0e7a5bfcfe76f1309832eea095cc51ce
SHA2560c45f6ad4af5b1d4e1e207dec2ddd518dfdbaf1f1684edf184ccaef419ee30cb
SHA5123a26d84aafafb86fd76eaf6bfec832ffea8030798e80ad78afd7362052502a994415cbd868e6c0539c5071be43623c08029be46f2542c65efb7c7121e3efb4f1
-
Filesize
1KB
MD5cc92638c2c6bb7390628d39dfddf50b8
SHA1c9357c02e670d802a76a835e08e87cf8b2185599
SHA256021f9818902539e3f1436659ed6d56fb4a5b4a4c95aeb17c0eab3b9932dab58a
SHA5122e1ae2ee3b02ee2756466630850ae8380b6f7176d61ad3016ec8bc58a2b1b3e73f37f4feffd6f5e87694c7555678c53590b3fd36bbc0649be6ef6587f3cfd0ef
-
Filesize
349KB
MD51166bb4123351851bd9a283654a51cf2
SHA12c53441f4df33453c26474fc3a01815d466b7ac6
SHA2565dc4cef5041077ed2feef605b9db580efe0b3bcc86823aef08ab3da19c5e8797
SHA512c62b8c3bf41ca424fe2e5e37057bae1273d533270e52a11e72aca3a35c67fc90fad4aaeb92317fe4c72e7480ebed14e5e9099f254a1beb24fe1c9c4131b86687
-
Filesize
1KB
MD552079df568e2b475845be013404f0457
SHA10d2f29daf9c571056e4d8ef0a8858c5451076c3f
SHA25609c113d6dceb4f1f056546543690d58fba532688aeed95c5d2790548d4f59ea3
SHA512abcffc9192b5344a55d608b7c8494abbf4cdb32c19812aab3b3b9a0602a08a42a42bc67bc367c0da967a0546302c90d30aacbc3c4479afa64919f0ddc4fd6698
-
Filesize
3KB
MD5c95a4762b29c8f8b3451f90cda1cf19d
SHA12b455cdf046389ac200d84a4fd4febadd78beb46
SHA256594075f66b252e85d64e54e51bb1ac09180cb5e7d07c804189018987a498dc04
SHA512c7bb9ffb4d7ea8b77e12641fc320572976aeba7477e5c67b91a7601edbbdcc2eb5fe1a320b304a00fc86537eb184cdf7eac1123ee86deaebd76b9547e709d9c9
-
Filesize
6KB
MD5fefde386bf2192356bb615fdb335dcf3
SHA1edb77dd8792b42fa24a75c2b99fcc4e5f1edc988
SHA256b832bd4f18dcc71897371c3d309fb0d5ae0fdacf6d03fa97547738f1831ec927
SHA5129e8565e561a9450972c9e88776e42a00fd92bb308dd09925047c8a96d8128c03fd89a8801dddee1551fc25687286e103eea75bd4286e1c0f29309eb720a75d34
-
Filesize
5KB
MD528fb099983809a6ea852b50dde8b2f08
SHA1f8dc98ddac735559a621fc411ae1f1b1651e1501
SHA256b769f2625fbf1c0d3d979eb810305e9e55f4580beb283762849f50d4a4d07745
SHA512a00498246671d810f00fa4e57b89be1c557f35607fc6656bd87a881c5010e4f31cd155148eefc4483f6b7da9bd5073151931cdc3ffb6a2e2e24e69acedc680de
-
Filesize
982B
MD5c1a3720f7f2427034d19948b25fad612
SHA1db3a6da136c0590ea0978eef228d4bfc558e531f
SHA25647c65be083aaa53d0b2a8c437d50f52685ee2d25d7b5a89b2f202d41ff0613a1
SHA51246f5adf07072872de2a53f7ec87030d4af66e8fc9947ae7a376d83ea229b35187215ca62ba5dea1c70d4bce7a66ae64464b5101dea02d07ab0090d65b537b1db
-
Filesize
25KB
MD5f1790bddf1562eb1717e6bfd97d0057a
SHA1abd34c72041a1f3d3a8b2bb3108e8e076d527e1c
SHA256d6a4697e36c37c134f1724f51ac8a810c77723175df83ff934f6a991f9df9761
SHA5121e0a8d789fbd1fb5edf9da1a2cc7398915763b120e76d7d6787bfd0fe2ffb6519869e58d0809345341f7952c2891a5057695a5eafb2ec3bfe918a6c870e52a89
-
Filesize
671B
MD55d1c931c37ee5abe3db1fb919e941c16
SHA1d253231e7fb84f8a353e8936e26073d4a2c0fc49
SHA2566b91716b3ab1aa346a53f302d25d78ab61dc2f5408c08d70034ad01fd6516ff3
SHA512ebcba402a3a3a16306d8b4cca7def4d4686d1da68eda88cbd2d25bfc46b4556cdb5fe8b5988e93c2e515106646e6b49795c4ef9e00a6673fc988d212412c73bf
-
Filesize
9KB
MD5c69c0429c9ff25cec9fc27bdabd33470
SHA1e89b272939ad59dbc6f7f9b0fd411c73e8e438ce
SHA25641406b4f65bfbd3f4e4e798b4f7b98d77c32dc6e83a451d54a7b551be7da7624
SHA51240dc8e6a3b3dcdd6f2e718bbb1e27026aab78b554848b5dd959de4341ad7e0ddd9fe7c19de769c0c8fd8d6ab95c9213de70404d226476b31cb12aa3936723048
-
Filesize
9KB
MD56c4cd5935fb359d6d8e4a759cfc6cb6f
SHA119620698261ddafc0b5b586d57f9dd8b363e240a
SHA256a66a2c706ebe559eae7e3da3f55d9f7882893b755b19f597ea937aa8d6642a7b
SHA512ee867f78ecd81543e9c88bd69dac71b4d1c119145135b7acca099f7e75e0be79a25be72be3e8460311f8cf77b3da3c6869a0f9de72db7e2a463fe4ff4799a5e7
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB