Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 22:31
General
-
Target
da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe
-
Size
3.1MB
-
MD5
871556e1a93a261d9f942055b47ae9d9
-
SHA1
c2c8fde536274f8adc0177196fe80644c11edbd5
-
SHA256
da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185
-
SHA512
e869cd9d698bf05a7e20fac22177ab167bd956f379759fb2b3af5ed37bf2f636cafcecb4d4766ac9020481b42d1560539fffc2e6c189b752a2bab7d645fddb64
-
SSDEEP
49152:6vct62XlaSFNWPjljiFa2RoUYIM1SE9oGdBiTHHB72eh2NT:6vg62XlaSFNWPjljiFXRoUYIM1Se
Malware Config
Extracted
quasar
1.4.1
spread
adequatelicensing.at:4040
d93e662e-a9de-4198-89ca-f18764fe29de
-
encryption_key
36FFB0B8C391E84D40C64F776A2794BCA2549D86
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Java Update
-
subdirectory
Java
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/3956-133-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar behavioral1/files/0x0008000000023211-139.dat family_quasar behavioral1/files/0x0008000000023211-141.dat family_quasar -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/files/0x000700000002331c-739.dat family_stormkitty behavioral1/files/0x000700000002331c-744.dat family_stormkitty behavioral1/files/0x000700000002331c-745.dat family_stormkitty behavioral1/memory/184-746-0x0000000000B40000-0x0000000000BD8000-memory.dmp family_stormkitty -
Executes dropped EXE 1 IoCs
pid Process 4856 Updater.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1108 schtasks.exe 4724 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3011986978-2180659500-3669311805-1000\{657C9824-6F00-4C81-9A64-02424586EDF8} msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4260 msedge.exe 4260 msedge.exe 2104 msedge.exe 2104 msedge.exe 2860 identity_helper.exe 2860 identity_helper.exe 4324 msedge.exe 4324 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3956 da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe Token: SeDebugPrivilege 4856 Updater.exe Token: 33 4408 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4408 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4856 Updater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3956 wrote to memory of 1108 3956 da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe 84 PID 3956 wrote to memory of 1108 3956 da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe 84 PID 3956 wrote to memory of 4856 3956 da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe 85 PID 3956 wrote to memory of 4856 3956 da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe 85 PID 4856 wrote to memory of 4724 4856 Updater.exe 86 PID 4856 wrote to memory of 4724 4856 Updater.exe 86 PID 2104 wrote to memory of 3644 2104 msedge.exe 100 PID 2104 wrote to memory of 3644 2104 msedge.exe 100 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 1988 2104 msedge.exe 101 PID 2104 wrote to memory of 4260 2104 msedge.exe 102 PID 2104 wrote to memory of 4260 2104 msedge.exe 102 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103 PID 2104 wrote to memory of 4816 2104 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe"C:\Users\Admin\AppData\Local\Temp\da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\Updater.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1108
-
-
C:\Users\Admin\AppData\Roaming\Java\Updater.exe"C:\Users\Admin\AppData\Roaming\Java\Updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\Updater.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\3nnii1Avk3gC.exe"C:\Users\Admin\AppData\Local\Temp\3nnii1Avk3gC.exe"3⤵PID:184
-
-
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\OutSelect.ttf1⤵PID:2480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9008546f8,0x7ff900854708,0x7ff9008547182⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:82⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:1440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5344 /prefetch:82⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5128 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5716480075228693438,4641261671845672969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵PID:1848
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3040
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Extension Scripts\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
152B
MD5b5f5369274e3bfbc449588bbb57bd383
SHA158bb46d57bd70c1c0bcbad619353cbe185f34c3b
SHA2564190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464
SHA51204a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6
-
Filesize
173KB
MD5d3d1aff7a71e5f6f4537a0b3cbbd5c23
SHA182bbaa35980290986094ec5b2f33da17fe0e1ca8
SHA256d3ac13e9bebf6119830ea38adf6715f42a193e7cc5834087abcd77bec3c07291
SHA5129f5a8f657438a49e2b60db1372ced7edca4ca714efc63ff8791ff232d4252178b5a148a02b049f279007f095e7ac5b649367a2fb3dbffa14b39b637f1d30d42b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5dcabd3bee3714514998e81a8630771d3
SHA1900a2d0a7e21f57f035b6dda6f97f8fbc3323424
SHA2562dac568936d560525f3d5d1fc69939c8299bd6469c44d8ae2b4793c0a8bd6ff4
SHA512c9082a05cdf88bea4687786f5638862cf2c30bf22844f617d8589bd01dcb039df49e0c778999a5139b1960e29703e5bbb333481235136d3e930a468304c1f093
-
Filesize
32KB
MD5913a9de3d0b06a03aa920a469981fdf3
SHA1e51146bd88968325238c950fa505342b65d125b9
SHA256e0ca8c83e21bc1bd2d01b0394bf73b77a88171b50b5cc2c10e8c03f5f57ecde2
SHA51258356a8f4a4f1ba734f16c1b73fa342131b3cb2f1a1ccaa8c634636cde05870c167bcb9ed00b87700c6400bcae124fb2cb1bea10bfc1996d260756299b5d805a
-
Filesize
36KB
MD59c49651e2bd8fb39caec3421186d1c02
SHA147357de29963865f8317f5f85028b26cb300a3c7
SHA256a6d7e8877ed172e18c67a4635159d93eaad581985a93e310ff2d8b0782b097da
SHA512ccb4451064f0dd085035b3ddf11af771aeabb893bed2cea892865e0913ddac5fa6d4d9f3d51c4b9545ff3a0a7d8b64b0d1d5d178d25a6811c2954e54389e3647
-
Filesize
8KB
MD57abcdbe5917b216adbb96b0e5255680c
SHA1c60cf1953158ff41158e4943d96363009703d732
SHA2569ea08f3c5c8ed1452403b7041dec7607fb87a45299b769a8e5073d21ca3d029f
SHA5125e67f68cea685b3555b8c250a5ebdf904385c8fb78af674078ff054954eb6bd94450d6ff36ebb5a5a1a09b2e7119e4f8813dbd7e1711187cc5c96cef6c16a667
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD56d9c60199feb668915bf667fdc33b51c
SHA1997ec1b5ab98c71af234ed50ab62536ae68997a9
SHA25686712c8b121714696106d1e647452173e6addb88d32d7ff3af1b07a94dcdfff3
SHA51248690198d818cec2ee7699060409f3fae52eea5375c5cbb65dd07109f767b1320ce6390998d0362cd3b1b5af7351338a3e90fdac1c6827dcda5a3b2745370933
-
Filesize
5KB
MD59284106fb7a7b720a1b7383ba0a2d0fa
SHA19aed626235c4a0df7467983662d5efaa34e77949
SHA256ff76d024588208015ddfa75c2b94f8dcef5a83b6ca79e7d188ec94ec80e70ce1
SHA512c00d9047d5520d18dbfd4b07e49f9e7e1dcc9e3847f9a3921add96b091d9ca82cb9dfc71279331ed1e35bde84c17d7a868ca4b569f41a5bd6139841ea08f82d2
-
Filesize
8KB
MD52047a46a28d7455daca60af8c7052cec
SHA1ce43facd57b595a1648754332a9a7457da567830
SHA256a74c62a38375751bc026f87a429fca3aed754337f8569d00b0a02b0567f95a6b
SHA5129415cb1aec7200ad381f08afe9a9dec24d295a2956a509ebb7f5d9935e47732ebc326ea28f6f4ffb9b4168bf1a558d815af97d6cb6bdb340ecc3181d14253c0c
-
Filesize
5KB
MD5fe4fc7af41c4ad2db939f1164ad3ae70
SHA18815262ec16fbcf12274f9d287969b05c23fb470
SHA256d94c000add707101b8ada2817c3310f9a1e6c193b2ecd836daa8688d55214a18
SHA51206669d138e4f4a2c164dae5ddf89e96b97bbc9f2cf0510fc473d62680598555535b570e16a85159a9ccadbc1b3bff9394aee7e66544324eff80c272ced246e83
-
Filesize
7KB
MD534b9c70054f1e0b4ab1f13845906802a
SHA1b80f15b2eeec9f0c7384d27bbd8f713e63617767
SHA256f343275f6101b69f1f616341decba5e8a867d23edca48f356f9d1efa5a34d865
SHA51283ddf613c0f8966a4de76b203033e048154d5f7a1a619440f356cc863ace120b82fe2b963f26889c2a26bc6a2ed8878c7d0997ccc8da13374cad537dcc0694bb
-
Filesize
14KB
MD5b11531e252bfb1ab4170878cdc476101
SHA1bc98f9e0f064ece7bd4fc919b5890185c58a0f81
SHA256c66d5c1ea67aebbd11feb2df83b1c1f50a88a0115f18630cab65f2541c49961c
SHA5128c4bb068721b2948f13365884cbc7ab0eede8d9ddf30f06928a837430d0a2859cb5decc609161dc38e543e3b98a199002a0be12025e502444f041e657073b21d
-
Filesize
24KB
MD529213338df67d29d6454ee5d61ad3970
SHA18c69ca76a2e639060d5ce835a9600e6ea3764a83
SHA256d29fc0d97fa74d382d0f557ecea4e42b7d50dbce43915bfc0c114c16e532aa51
SHA51214db25eba8a863d390b97fce4315402ed7c249598ff6c31d5a191b0f71c274eead42ba0658403e744110de072e6ff1cac3bccee1e48875bde6b1fe39a60d2407
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD529e27ec49856e680d67f7404adf65bae
SHA1027a4dc48ea1f2383d60386dcc3c8d403a8a38eb
SHA256f98f46391945de55baf7d361b3cd5b5a66fad0561b0e56db5f4f7f27df4266d8
SHA512fdc76b49c055b81d30f22a234b81684aa3494a7a7829e3439216bc0a1eca721c1874faecd9a2abb2bd50f0df4bc2afdb20ae39c93895b3340cbdb16d211c5e62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594433.TMP
Filesize48B
MD5a2c8688976a441de55349480ee80cc14
SHA14dfb0e4d90f9a90eb7b7e7c8ab2a2c3c98ae4907
SHA256f92f49f187b2886bb9a9b9907e6e7f209d2981494880c4fb1afba53f13f5df06
SHA512144997abadbf5432b7b8ec721f9ef724a74668680b2b07ab65c259156a076808db9d51db012dc7e8dbf8ba83ecefd63871536a805ab9537c8b3e18f4328ce88d
-
Filesize
1KB
MD551fd54a42306ffbe170c728ee19b750d
SHA11acc0964697e09bedb422c8f537e70b460d73742
SHA2563c0944c252c548d688568df4938ac4ad89b8a2697839b6a1ecfb4e1b68788865
SHA5124605834c9ead0f422cf6c72dba7c41a804513ffde4c379864987c10e4ed3ed184d45553be5258b5018360176cc8ca468c8a4ad8c13dadb735ff62e6e7f5e3f25
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\db076cb9-7b9e-4f3b-aa61-211cfbb34c39.tmp
Filesize1KB
MD59084909abec9c3af2f3d04d8e7f14b36
SHA1fd33827cadf3e7b2a79cc4dafc4098ac665b8b0f
SHA256d57da142c1b18ec49ae145470ad101eed369fe00bda23cec414af58364f4d758
SHA512d5045c504014bda20af12f3a827e0cae515d2e71fa096dcc5b755b8d431a494f1b5739088636632dc68602ab0da2d9bfed79db4608d70a896664dae17a4956cb
-
Filesize
88KB
MD5b11ecefa8abbe8ec4e6e7d137cf3bf75
SHA139f40c48041b5973dc3f2740c432764f820cdd25
SHA2563350b01dc0649df37889966fdade9faab787f0fe0e02d3b2c2e88fffbce74172
SHA512487c7ea7cb10fe2ca2e95e540b69e9ff7bb40589719f5e9ef557655d993f25a4118bd187698be9007dbbfdd0a44bad534ac99051d890755550236e7c24a6cde4
-
Filesize
126KB
MD5132635c047ed1530af1d86dcf50ac692
SHA1d42216bd7cb556002410c3fe7c3a3242dd928b8e
SHA2561f4d103427d2e676006f968d5f5c6b0d11cb9496a77e12f5437c9d5956cd79f1
SHA51266e8f2d3b59587eb271ea5c9ae132c1542f8386b0eca507d041a1e6c317863246df213e646f202909ee98e1fa94f967627c89b2989f8bb6a1116920374cf8348
-
Filesize
48KB
MD537110f17eafd53c7be44ed8d901dcb9b
SHA15b8aff04260e12eefa757cacf0dfaa020ab34afc
SHA2564f72f7a07b4406ec587c1f7026fcb2abad1f52d9fe2fff18d712205df26509bd
SHA51206419536386658eb958f2bae45325fcfaaca146dd276c32d189f0d9567f6ac4ff93719e6a972370f4d482775c6216fc7d2c52beb5a6712c239157ac4df4b7917
-
Filesize
48KB
MD59ff4fed42568ce9df9c7c4abd5797df0
SHA124f7b894ed378d804a7d00f9e1ff92828eb3eda8
SHA25609e844efc7d3d4ff59bc410b070df25a68b456a383fa7172a4ac297d04b73c75
SHA512f182ae3308c71eb37d232e7fe18769f188bfcec6e8124f0eed6dfee179b10562754690b68e1baf6678ee19c52f7a87505fb28f29974e46dc4f0dc7a961b5de5e
-
Filesize
120B
MD5a397e5983d4a1619e36143b4d804b870
SHA1aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4
SHA2569c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4
SHA5124159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
12KB
MD54276de0f8524b59e369d865ecf125022
SHA1a5f7fe3218acabb543459d3ceb544a49d5a1ea8b
SHA256ab9ca7777460ee36252f0a23d06f7d66738d2ff5c20757fca252278587b65669
SHA51226e785a4d80b8ba03056ab621e2e54c0e095fd0ce4a6614bd19bfd8ea4a9b62e55a90750d1a184ded5971ce3c2a473c6fc1f5084e122538c82ed8a99f62c0f31
-
Filesize
585KB
MD51dc4fc00b32a8e8f47620b24b7a79da6
SHA1b545c7434553eefaa5803864196e564b869594c9
SHA25605763c86a842aaa1b0d8ab28b12bae934653fcc1d6fe16cac75ad9e2607a6113
SHA5126b37fe5ccd501de4915eb8488f9dc4cb70335a38d7a54eabcdff68ac9d2cc54f8f4be2d1c5e5c3705203ca08129be21746c5eca42e54d0a121da085e5a3ebf91
-
Filesize
585KB
MD51dc4fc00b32a8e8f47620b24b7a79da6
SHA1b545c7434553eefaa5803864196e564b869594c9
SHA25605763c86a842aaa1b0d8ab28b12bae934653fcc1d6fe16cac75ad9e2607a6113
SHA5126b37fe5ccd501de4915eb8488f9dc4cb70335a38d7a54eabcdff68ac9d2cc54f8f4be2d1c5e5c3705203ca08129be21746c5eca42e54d0a121da085e5a3ebf91
-
Filesize
585KB
MD51dc4fc00b32a8e8f47620b24b7a79da6
SHA1b545c7434553eefaa5803864196e564b869594c9
SHA25605763c86a842aaa1b0d8ab28b12bae934653fcc1d6fe16cac75ad9e2607a6113
SHA5126b37fe5ccd501de4915eb8488f9dc4cb70335a38d7a54eabcdff68ac9d2cc54f8f4be2d1c5e5c3705203ca08129be21746c5eca42e54d0a121da085e5a3ebf91
-
Filesize
3.1MB
MD5871556e1a93a261d9f942055b47ae9d9
SHA1c2c8fde536274f8adc0177196fe80644c11edbd5
SHA256da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185
SHA512e869cd9d698bf05a7e20fac22177ab167bd956f379759fb2b3af5ed37bf2f636cafcecb4d4766ac9020481b42d1560539fffc2e6c189b752a2bab7d645fddb64
-
Filesize
3.1MB
MD5871556e1a93a261d9f942055b47ae9d9
SHA1c2c8fde536274f8adc0177196fe80644c11edbd5
SHA256da2af38db4b5bd416d2be6175630727cd3be73f7d52177e33d2a1da660d62185
SHA512e869cd9d698bf05a7e20fac22177ab167bd956f379759fb2b3af5ed37bf2f636cafcecb4d4766ac9020481b42d1560539fffc2e6c189b752a2bab7d645fddb64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD5ca7b8657793b7e40eb87a186553e7913
SHA19f5f6c79567a19fc9ddab1be45446817442f90df
SHA256151c5ff4b6f67702fd4c7357a4d114b6dabe6e48c9333f23f437fac04d25a717
SHA5128bbc6f76abd8dd63b1755df03ae085258f8128d816f4e6625852f5f35f2ac7968783f22c501c5c19b0543e560d9f336d23bd074dde83140b3c464f06ac70dd7a