Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
24/09/2023, 23:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe
-
Size
270KB
-
MD5
3d6d23a12a70a3f32f2764d15463cf66
-
SHA1
9cd1ec5065f67b211ff5d5a5dc381bb8f7f89b90
-
SHA256
7b7b88730642a23a8839968e665d119af960929dd53e4dc51b3a633bd1ae2493
-
SHA512
95674a666391fff469d6dfc558602164801fffe205fc4eed23f5de09fb5228b27e20893bae59932565e797d1b1a6e8696e5797fea0771fcb8cb71d67b23ef4b4
-
SSDEEP
6144:iRphrJ+j+5j68KsT6h/OCy5U9uAORAUNqw6:iRfN+j+5+RsqGGuwU8w6
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1916 set thread context of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4472 1916 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 632 AppLaunch.exe 632 AppLaunch.exe 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 632 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe 1640 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1944 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 82 PID 1916 wrote to memory of 1944 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 82 PID 1916 wrote to memory of 1944 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 82 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 1916 wrote to memory of 632 1916 SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe 83 PID 3164 wrote to memory of 1980 3164 Process not Found 98 PID 3164 wrote to memory of 1980 3164 Process not Found 98 PID 1980 wrote to memory of 1640 1980 cmd.exe 100 PID 1980 wrote to memory of 1640 1980 cmd.exe 100 PID 1640 wrote to memory of 2780 1640 msedge.exe 102 PID 1640 wrote to memory of 2780 1640 msedge.exe 102 PID 1980 wrote to memory of 1248 1980 cmd.exe 103 PID 1980 wrote to memory of 1248 1980 cmd.exe 103 PID 1248 wrote to memory of 4868 1248 msedge.exe 104 PID 1248 wrote to memory of 4868 1248 msedge.exe 104 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 4164 1248 msedge.exe 108 PID 1248 wrote to memory of 2852 1248 msedge.exe 105 PID 1248 wrote to memory of 2852 1248 msedge.exe 105 PID 1640 wrote to memory of 2092 1640 msedge.exe 107 PID 1640 wrote to memory of 2092 1640 msedge.exe 107 PID 1640 wrote to memory of 2092 1640 msedge.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.7934.3402.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 2522⤵
- Program crash
PID:4472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1916 -ip 19161⤵PID:4828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A081.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8580346f8,0x7ff858034708,0x7ff8580347183⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:13⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:13⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:83⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:83⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3587910640105965004,2117035594032049009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:13⤵PID:3280
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8580346f8,0x7ff858034708,0x7ff8580347183⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,17133104610820350055,18039567959462482645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,17133104610820350055,18039567959462482645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵PID:4164
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53478c18dc45d5448e5beefe152c81321
SHA1a00c4c477bbd5117dec462cd6d1899ec7a676c07
SHA256d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23
SHA5128473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e0ef89cd344a708a2dc463774e0f653c
SHA102938cfe574f84f030c383d22a2d799ef815f72d
SHA256fa4a65525b03684af9afc287cbe4eae32dee1cd03e65bc9e812bd4ae16226f19
SHA51214984df16725d9af556a32ac0058d29d09d93d13a6f9a17a3b2c863f50aa65d82bd7ea7373b2d3a636137beb1d1ee16d8e3ca56f0dd07a76f0ac866898e1ca86
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD50ed67518f29ee03eed1fc1ae20a3cb4e
SHA1ca5d7246975b46a436f8e79d47a17cfc66ef51c5
SHA256996ab3cc6400782ebb879cc26bd8c3b2c29372c1bb33e6ece26474bf5d3d461a
SHA5126f86fdc2b217abbc6ad820841f60fbb5dabe39abc22ae8fa8806da669f1b200053c03eae4b67e8470410cb5f7511e284b959b1a756ea77478ccce959283d0c59
-
Filesize
5KB
MD5dc9c5994f34ffde04825ec9ac2bcca23
SHA14d639e83a8220da604a6da9ddee8ad19f7a7c0b4
SHA25607c084ccb5592f19e8bbdd4c433f05b546d2016334d5b4ab65d518a36c9b6e10
SHA512dad62def9d6af493c81ffd5f5e3c6012d279141e35827482c61e244d8336e92a7c387600e0844e0ec6351cc52d8c5604acecfdfffb93d0edef7577b5fd7ef0ab
-
Filesize
6KB
MD5930edac77a133ffa036fb079b365e42e
SHA11c7ecb1dce8cdd0ef336987f77af94de2850bf0a
SHA256d82472462b66afd9c5db13395593572eea9a24e30ac6cc197e0f1a4c8568d23f
SHA512d0bbbee63afa3685309af37bf817cd0d1e7bb8ec2d4822daa16363518bd7d6513195b592364c1f92337d1d4dc5115b936969abccb4aae89efb0069c44e9db4ef
-
Filesize
24KB
MD5d555d038867542dfb2fb0575a0d3174e
SHA11a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f
-
Filesize
872B
MD57621f5cb3188982d13d9b382c4fc5453
SHA1e6a90cdc6b12cb1fcdbd6c41371a315b84a3ce63
SHA256888e86c54e5925d347b2daa9a5f9bf079cf147e0f419cfbbd5d9ad7f425d9e77
SHA512ad227ad48f5c2aa37d1353adbb472bc93168a24d7757ce4ad9c1a3f97ad8bf05ec580291b116f4716736229d01358880c426e3333f31feaa63715959904dc612
-
Filesize
872B
MD5fb33c4b860f6ff00b3f31e8a57732c01
SHA1939257f76c3f1d55d1afb4b41b105145bc0336d6
SHA256830e4dc3c097aeb449c92f5ca568bd1198cbff01a510775b07876bc80f70106e
SHA512833ab5538cef9b86a335c18dee2c5d793e141b28b12d29ba6db0c820289c6de5935c3be9c0084a0ca17801947ec178f24500cae65c11143d3dfc0f0dd34d6b64
-
Filesize
872B
MD53ce722de775e43abe162626942f530e7
SHA10b0eccfec06376c99d97b9a49c43eb2ce4a3369c
SHA2564bd824ff1a73b584a8d64b307b1068cb702c677dc763493d649f91f4287205eb
SHA51285678561af74544ab128489447d7b015326d09e1cf763e1ec52fc4dbe280fe4233d9e85b82cd08608bdc9c2986f8167bb8d2a26abbb334a4b0c615d3fc646838
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5f6765d05cfa5d1e2e4b0f7bf9683c31a
SHA1e51467c598eb5c92e456627b2208f2f4d1348dfc
SHA2562f57a52105c0d6934c6b572d7bc370915c5e6c1104a8ab58e2d5c22ccd54d031
SHA512b459c77b9a1b3d2148b733c0350c0ae7a4340e6f6c988f691392a57b9989bd99e18a427a0c83aba99f88626a63ec511d2848ff8e038f61dd5188af95cc732150
-
Filesize
2KB
MD5f6765d05cfa5d1e2e4b0f7bf9683c31a
SHA1e51467c598eb5c92e456627b2208f2f4d1348dfc
SHA2562f57a52105c0d6934c6b572d7bc370915c5e6c1104a8ab58e2d5c22ccd54d031
SHA512b459c77b9a1b3d2148b733c0350c0ae7a4340e6f6c988f691392a57b9989bd99e18a427a0c83aba99f88626a63ec511d2848ff8e038f61dd5188af95cc732150
-
Filesize
10KB
MD53784ce76aeffdd998d606c4d5d6f438b
SHA11fbe8f38b3e1d9a6350569e2ac86e9bc670ca72c
SHA25621d30dd0d59a7fdce2301e0bc6dad83fcdf66ac341f46410ede3e9800535f849
SHA512cf03cf49bb53fa00ba857b8e7cf5f01318a8ed2fea3c9f99c527668ce9d21a34facf8b2748d9d9e28fadb420c65a38695e9f27476bef29369ba1d714b7cbda44
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576