Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
25/02/2025, 02:57
General
-
Target
Private_Cheat by pc_Ret v8.exe
-
Size
2.8MB
-
MD5
9f031ba9a4e474e8a87e16e49bf61bc4
-
SHA1
37f4299fb8888fd7bc477e659e50adac41c3f4f1
-
SHA256
7921c12179578321423314c5458842e5f057609027c7b0a7fb4c072295ad8d6b
-
SHA512
95218bbf2f905d791e7aca7d659eaca073f132e6380a2b0a4c152785653618cb919b5e3d0455c57094e99f414283b459c2280703785ace3a929a6c03235d1e5a
-
SSDEEP
49152:ah+ZkldoPK8YaMWS1/D+MRMOtjR/zTqny/f5ft1xSKHYS:z2cPK821/iMRhjR/zXR1jT
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
Qulab family
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe"C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe"C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe"C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\ENU_801FE9737A5A456E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\*"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb5137cc40,0x7ffb5137cc4c,0x7ffb5137cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1868 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2256 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2492 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4596 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5092,i,13883795131493205672,8988370937599388341,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4e1146f8,0x7ffb4e114708,0x7ffb4e1147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4308 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,18340815046779056093,1715296358484561703,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3060 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD5e778a953bf0feadfc633a88f03eeade7
SHA176575f08bb06b8c7a84849072b260f3886aa6678
SHA25660abac3c5fe5ff55735daf7b4c67390ceae4aed0dee5b8e6fc159d63315b9512
SHA51223c845017ffa9da10c5abd3b58d51d67d91c83672e04d454cdec7d4dc5eeebb4c5056357a5dbb1114020c0ae5b38e76ef77ad8154ff88a60346b9dae1d98fe17
-
Filesize
170B
MD5f0e4c4f565a3c9713a55784ffad09f7f
SHA138e8ebac7d1d10d76f7ddff7bb29c1e61b71cfd7
SHA256a6dfd02216927c148fbf3ca524d112a562c5417868414a404149931ce6de58b2
SHA5128cec6aea340478ac837540d200f4741f9ac5ff873069b16ab6c04f582aeaf331cc79839d67017434110af73df9037a81f48ef9b012483ba5ffaae7df678d663e
-
Filesize
2KB
MD532b5ccb1918afe75537728e265804941
SHA16fbea359b24b5b11849b216b7d1481f30690cce4
SHA2567903613fa2d7b01bbe101ce37d1587908619e9498c86c9d7eebcc9acd2c293ac
SHA512e0349130628906065cdcc27eacec611e61f750766b624fcc55dbad7f6cd82ca2da7dbfe58ea0d8a8d8b057e66349f2117c0452828ccf9b3c9c8cf317b96d3881
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD51016666830a606085054d2a3aef81879
SHA1c7f770504a7fe21a2212f6c6eb72ad2da4bc2776
SHA2569083c73a9e57437c9b44a01b2c5530735ff4baccaf934afa399b9dfd043635b2
SHA512bcce19a09e54a90aeefb19b4b8ddf9668b4da53a357b529043aa21e102d8c9cc2013db21028b987daa30ada6a7740e3866d49d4805ad4424fd9a48d7e24b4000
-
Filesize
9KB
MD57533db6bed8a013360415c26b1d50b24
SHA1d5d02cc42c428bf645c436c2ce27f67adfa549f3
SHA25640ef6d8e90b4648b985088dbe9dc6c39779003518f71f3ea7117768779e07c86
SHA512e5798db5ebcab646df75bce481643fa75e2f046f9a12f042c1a47543317633015143eb219c62cc4e321c9dce205a8fcc7db7e78939eb4165a311181f51c856ce
-
Filesize
8KB
MD57af3e7e29f51a7da1f4250136ae4266e
SHA1bc497db175acd220cd63824756e54c32e388117a
SHA256bf05a0e9e3bcd27fb2e4eb2ea66abbfe35c0c29239b5c5976d40279062570c14
SHA512388c321fb5fae9ff84491436793f203e36bbef77ca5294e97a058ab6171f7fd2415ae2e0cede10029dfa3a8524b357aff0117d28a19ef7cb642cb1faa38ddbfb
-
Filesize
9KB
MD5c56bf0e518ec65830bffadbcce41e6c9
SHA1141554d7000994bdbc1575a2ba4109fb1d1a9e83
SHA2566064125f7c6e14ff47c09c23d89b01d3bf9ed4c50df3307324ec1bfc50021f84
SHA5127e5a29036ab6c5361c7e88460757b9124e3ca655e32bee145b7eaefd6fb8dec503cc8da5110b39369e8010a6f58fe127c07e2a802b0b6c0d2ed815907c25d28c
-
Filesize
8KB
MD5e81566ba7e9c7563d4a1339e001207e0
SHA1785cbc780b0ca6fcf11f1837c2aa9e39895b1729
SHA256d3cd71700c37e61f2e40dc273cbe59888eb08e4b6bd341bd1efb3126c36d0a0e
SHA5127e487f42ef923a101002c28eb04c91cd4aca9309c146a44a4e7496772514261fe34a4e1ffc826a3a80a55496a1eb9309b1cacce818f0fdc707f9f836865354f6
-
Filesize
9KB
MD5b2569c55f784c7cee410dab100de1920
SHA16fe7794d7d399cb96014522a68a909da508dc68e
SHA256e04a31566e39cd7843849e0442b6babf2ef16d492f68b87c34ab6282e2adc57a
SHA51271c21bdfdbc7afa34f5f4d61d31352df945133ebf3497ea24720d70755d7896e85f835991d74448a91d7f72c04619e8be3cc16e891452aef0ef87c64403355f4
-
Filesize
9KB
MD5b3026653486ae65fb0c1439a113ee377
SHA1d20c007e37816924d6e4e73e2d76a7cc5f2e19e0
SHA256d2563bd270c1dba444c9ba079fbd2d97591dff14dcd844fbb692425ee896b5ff
SHA5126be88b2484911aebb56aca85aaaea8e102ad08056cfc81d2038bb76f44406d570469d3bcf31268daa40cc69f8fb473829401d94b72a51e00f54059f60e33b334
-
Filesize
9KB
MD5695d0b2ec6ac50c24724aaa8751ae47c
SHA1dba1e845e17b3dd59006c1ef47ff30f424851fe0
SHA25664528331e14e6e4108189859c6b9461770cae05c8d0f390c1344afa3a0201c4b
SHA5122e7cb95c44113dac623fc7b12a94ca7ca75f279b6fc193664e6c547591955038e359019e4106e3815df9497024aa3acdafd55935a21d1bbbe5758a43fdb90ba6
-
Filesize
123KB
MD5b086af50afb6d798fc5c588e8c20cad7
SHA174579ca3569dfe9d15b020645dbe4ea863c9d98a
SHA2561354244c7072c77a01635e9a4c0bd9994134f83baf7688f92145159cabbae195
SHA51203dd18e9aa35a830c55eb067ad926e80da5e5a828fd8d34c51246807b6821c0ffd732f3d81d15402a8eeb2b0b07842777934954472750159bcaa9cfc86551dec
-
Filesize
123KB
MD53dd7aa8bf17abe1423a4c33f1d4ac3e2
SHA128992872c0c6cd91e946e375691131d02d14855d
SHA256f7e38bcfedb8ccc845bab36d04b3cc13be4328588570a81a2920b2986594adcb
SHA512e885b976f0392ce16a89402ef1266b425964cce7effe077cf97bbddd996a161cb027c8687221f6dd7441dfe5e9f16998a85a1b32586b503b7d51fdc78a9d6427
-
Filesize
152B
MD593be3a1bf9c257eaf83babf49b0b5e01
SHA1d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a
SHA2568786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348
SHA512885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52
-
Filesize
152B
MD56738f4e2490ee5070d850bf03bf3efa5
SHA1fbc49d2dd145369e8861532e6ebf0bd56a0fe67c
SHA256ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab
SHA5122939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b
-
Filesize
202KB
MD59901c48297a339c554e405b4fefe7407
SHA15182e80bd6d4bb6bb1b7f0752849fe09e4aa330e
SHA2569a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2
SHA512b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742
-
Filesize
1KB
MD5926dc370ed7ab855677dfd91c5561834
SHA107b3379ed7fcf1628219e6cd3833964eafdb43e8
SHA256ec07c6985d52c1e55b3fb71ec50b90f1f70cba3df8e8c716288bd4c3fb00f4c9
SHA512b851ba5fe37c5c3cd383f40ad682e7abf84dda416760ab77e61a733d6c712b4bda867beef3530537736e14c4c50e85c84e964571e9b676f6056665239e68b964
-
Filesize
706B
MD5daedd325cdcd0333e16f3e2856a35f58
SHA154d02d27892710b08d9f6050b3fc622483d80cb6
SHA2562303fc502447c0a2a0ccdf17a9d4df9bd67accfa5a26700bffc8e93cb989109c
SHA51284df321cb84d875c2b09d32cfaf536386cddde21ed0461d15548a68faef51ae1a9630f8c0c3e360e633e678f67808f18fa15d1f07d9ecab5d4a1ba6a5a417bf9
-
Filesize
7KB
MD5a59d27cc22c27f633a0fcb9f69e87a6c
SHA15ae46aaadb9c952f2a54afaf8d611baf33f45aef
SHA256e370a7df0fdf62f22e8f84720f55a5fcb01c3ba1c898bf2d232a285fbcadbb3e
SHA512c2ccc006519c5f207119b3a96a6e73d3c34d1c46c6a4128afba1f159c9244c9dd204fbee84d2ff91200cc005190cd57a264d4d87e2ecd773bc88e364bcd936fa
-
Filesize
6KB
MD50430790489aa686bc0a9ad9f6635dbef
SHA1493e8dcba06213a9421c638aae97cf8e32a40b43
SHA25639627f0cb85f8d27ec63be4babdacc637216b21deb6a0af00e7c440c6a2d1204
SHA51211e67e475c8a87a86bafec131c6bd7b43079e5ac6ce36fab0109cbba461e945156b319d434b7f1b51246cc258483511d84a2c5999c099baf157b1d705e7edc2d
-
Filesize
6KB
MD58e549f9f68ac45f043c3c5fe5599441b
SHA15c822aa5c4a4ffa8ef53d7ebf2da70a8a83a427b
SHA2564d166902afb8fc47a7c4b248b1ac0353bb3e65cd3b40fdf40b1c292cffcab52f
SHA512adb3cb57c8db96747a2dad00beb74bcbef10740370047d4e757159d279ff425ae40adb1aa0ee49c463744c4c99235627b3b214a466cd5fe40f30bdfbaa419fc5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5acc6d427d5e1f253b5d3062e63d54a33
SHA1cae1431bfa3364d6c44b4fe4755ee733287e7375
SHA2564f09026d2ed05055ba7063e36bccdc1987f5b77b069d6d65e212f95cc6581531
SHA512410366d3c3b96de03ace19b8500eaa7b5485c4e9f226d5ad18c20a5baf5b9c1e0715eebc9b024806078c39cc21e588ff130cd9e7d7ddc6e2e954276ed94866de
-
Filesize
359KB
MD5434da06978e9724ffa6d90b93ef62c75
SHA1d469ed20d82e8dec3140aec8d52b4d56d975dedc
SHA2566350e9044f2ac74d8d51793a8b446b944081e533bf2915faf9bc14aaa0c55795
SHA512391404b4678f296d74d2bc81ae89bb4c423199adc509e69cd573717313ac3078e0f09a90e1dd4e618001608ae5b5aa0f10ae7855d98866179dc05cebfc50053c
-
Filesize
321KB
MD5d24276ac40d35830f2b62afae1eb92a4
SHA1eef691098d9635be8aa8739a3830aae5be889ef7
SHA2563675e60b99fbbf818883e12da047223ef7490f08fd52df40867785e4586186e7
SHA512ede7e171d73d64c20681362420f1662a8871bc6dffec806ced6800e3147f2f2d452be68ef738eebe71fce34d24f6549174cb930c1c7368266d416fd40d8db5aa
-
Filesize
1.8MB
MD5e30988e3026df37370cac7ce85faec85
SHA17e2f2cecb759372b6e381afbcda9dffc3e475ad9
SHA25637bc62e63d2cccc8c326ba42dfbc24d0ed2a2ec967eb4b24c1dce9dedbda5d08
SHA512ae21cee091a3bb2109552508a2f03c46c9c6ea63a2b33c794fce9b6ee3ceae185e9a06ccf6d11894696b231935c5c3c5dfea9aec370b1b4282a5bce58fde1c7b
-
Filesize
4KB
MD5e0a8972d1f9eb60e2f4c57ff1fdc6535
SHA1628c5864cf8b7dc3ccd7d61a3adec23cdbb3fdbb
SHA256b63e8c0cfbc757ea7bac6d289915abcc312594467b1be738ad8e19fd0239f708
SHA51252c9906c313dbfe286d9f380e1d3f446a9330fdf70cc237835d0372cc9f70842da4848fc5b6ad0fdbed4ea6a2d79ce43e06ea35b490d3dbef8466ea379fc56b2
-
Filesize
53KB
MD54a08ff26099f2f771579a2ba9d20f7c8
SHA1e1ebc25fb189dc0541e72e3048b9e2ff8f457ff5
SHA256ddc3139fe73695cfdd0d38ffa8f0cfefec4eca55920846a80b5ef9a5a42318aa
SHA512800349d89b9c45a3984c9d7c7cec6c6c333d93bfb032e5211b02d1d7d8b414c63e4b95d6243465925c9b368fe5935c9729ef1b041465fe135e6f3a846a711802
-
Filesize
218KB
MD59c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA19d233bbe69676b1064f1deafba8e70a9acc00773
SHA2560376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA51259c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5
-
Filesize
218KB
MD5e82f9401a1e258f204020186f9a714ec
SHA19493e1ecaf8d24dc41df6811b96b459fe046dbdc
SHA25676eb583552ef509e5c1c2cac4abc8442c0bbd59ce5c78a46c0f3da18158d542e
SHA512f3514debb1e1f1a5dea4565e236105adbdbe05cbe509e8335ad4f1558b4beffbfbf0c519bcb4530760f5a3c39743ff1935818949c140bb694803a8ad15beddaf
-
Filesize
359KB
MD5a6e1b13b0b624094e6fb3a7bedb70930
SHA184b58920afd8e88181c4286fa2438af81f097781
SHA2563b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA51226c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
280KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
568KB
-
Filesize
568KB
