Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2023, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
Resource
win10v2004-20230915-en
General
-
Target
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe
-
Size
239KB
-
MD5
868353e2d110b3d3c6c985b1adae7de4
-
SHA1
ad9c3ae066279e2cd947f9c833a0f1cb4d182973
-
SHA256
34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b
-
SHA512
2553800d879530261d6a40ca535cf280e824bff878cd0e902b4841d419cdbccf519d71e1fe820a4b8772ffb82d045e92265aefe588d1bd0da8fce7e0f7a72018
-
SSDEEP
6144:Mr46fuYXChoQTjlFgLuCY1dRuAOeXWaxuQNw8y0:M0YzXChdTbv1bunax/w8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2360 set thread context of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4804 2360 WerFault.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4924 AppLaunch.exe 4924 AppLaunch.exe 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3168 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4924 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3168 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 2360 wrote to memory of 4924 2360 34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe 86 PID 3168 wrote to memory of 2984 3168 Process not Found 100 PID 3168 wrote to memory of 2984 3168 Process not Found 100 PID 2984 wrote to memory of 3084 2984 cmd.exe 102 PID 2984 wrote to memory of 3084 2984 cmd.exe 102 PID 2984 wrote to memory of 3768 2984 cmd.exe 105 PID 2984 wrote to memory of 3768 2984 cmd.exe 105 PID 3084 wrote to memory of 4820 3084 msedge.exe 104 PID 3084 wrote to memory of 4820 3084 msedge.exe 104 PID 3768 wrote to memory of 3784 3768 msedge.exe 106 PID 3768 wrote to memory of 3784 3768 msedge.exe 106 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 3712 3768 msedge.exe 108 PID 3768 wrote to memory of 1464 3768 msedge.exe 107 PID 3768 wrote to memory of 1464 3768 msedge.exe 107 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 PID 3084 wrote to memory of 1648 3084 msedge.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe"C:\Users\Admin\AppData\Local\Temp\34bd2ce2e8930770f19ca6e9f3b1a32d33711712eb07b54d43b2968ff251a98b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2602⤵
- Program crash
PID:4804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2360 -ip 23601⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63C6.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa9f5f46f8,0x7ffa9f5f4708,0x7ffa9f5f47183⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:33⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:23⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:83⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:13⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:13⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:83⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:83⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:13⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:13⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,5131041473767664403,7364682203591888964,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:13⤵PID:2052
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9f5f46f8,0x7ffa9f5f4708,0x7ffa9f5f47183⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17452259346966618359,283698262861202385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17452259346966618359,283698262861202385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:3712
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2624
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD545fe8440c5d976b902cfc89fb780a578
SHA15696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD593870ce1026d4052f18ad640012e06b8
SHA1fb1a27220e524cb86e0297484e3d2da214788672
SHA25615133b79d415043509d63813657cf1dd1675febf7ea440a4384e90586ca93794
SHA512acbe8b755ddfa7815ef1bc5cc2958ff86b26b8e279d3790ae9051437da288ac121bc1909e9a5ecb7a75733660e357199972817f1e6e52950496e1d1ab9356cb2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5d4b35be494dd90a927d70d535a732aea
SHA17719ced3036ad6ae8be8d98c8784e25ac8c3bada
SHA256ed35b9909afb2ec341b2a6349682d891f853ff4528a6fd19b1fe2e11c3ad1d6f
SHA512fd8ab28052948ac62df0912fe3e238d9a1784a1a982048e9aa695e817938dd040bcfafa8b0e6264a89b38408d69c53dddcfd4d5f4ed6599c221293a89f21fce4
-
Filesize
5KB
MD53d6631140b7d5e4a1608fba8b99ae7d2
SHA1930a9169b1bac32d287742db4100778d3a9b7eb9
SHA256b35a2ef686a2189310668d65cfb32b5b66dc4a7d2be74b33b408006a1e8c116d
SHA5121d74f5c21c62906d143c74f297832bf03d6dce3df466ac25165db183a4375fae4fbe84b8fa1fa287e0d80cc472974ef18c64eacd2f82472717bb6bf6a75eced7
-
Filesize
6KB
MD5db4bedbb14b3cf8c2641f6ca57774f23
SHA17feeb91214d584a57bb9702238e7d11b72c1c6c5
SHA2562aaf8db43708b800c41d96b3eac2c7b4444bd37f43e966775509abf359ce0976
SHA51223fd266aebd703ae77a273a942b7e9941ab35f73a16dfeb9e13c9eb6a7f9fc779bc2c138129cfe527e33b46a608f54fbc5d4bb6d116b74c44538202f67a19722
-
Filesize
24KB
MD525ac77f8c7c7b76b93c8346e41b89a95
SHA15a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA2568ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7
-
Filesize
870B
MD5b01f0b413de09aeda256a5545e090498
SHA1c08a9274030d65571867e12b1b838cb7c16c32a7
SHA25670eff12a831fdc0ae410a7a4a9a95e6577c8a4f37255abe8112ae73a0977f037
SHA512118ba1a3bf3581baafe6fd791a439fb2ef448c449337f3ca7e160a13103c99c5f7275fe4b7734b7476f5963be7df1d19b9ae10d2b8fc4119b0d1b04e7e59aef6
-
Filesize
870B
MD5abbe0a32e906cd8c188aa909ba8d4b56
SHA10e25d2ea33aac19d8439dc2edc5116bbc4b87bb5
SHA256677e4350dc86c45ff38513d30fb8669b2b1c207fe4d226c32f93e0681bc3f56b
SHA5127cda7743fe3d8cfe65003318439ed0c60decbc8fe2b42c52c5e35f6c1ce58a4f9fff567fef6944734c31ec5db36b729211f85c9e4b5960c0af4c620554ea9110
-
Filesize
870B
MD561d51e5299bacfdf35914c27ff937d76
SHA15bfa300e46065d98cf94dc508c299ac411b11af5
SHA256bb811275ec3fecc1b0495aa27114dfb1e56ab7283255fc2a4687223b905ee4a1
SHA512304546b0fd1a23d1fecf85fcd1cf2e448d9dece38931ccda1b676ade294f570876808be8a5863826c3df0ea58ca38184f77aa78484d56ab6a9614448b0565820
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5591f098038b7c9bc7e3409f8b429d495
SHA1a993c07c57099926a989fcfbb11ab26da9cac6d3
SHA256d3375beb92daea2d0ff8f990575bc6d67cf859b5490abd776f11fdd6da035d58
SHA5121d30a5d0ecefead493c790e679595e8d58b54af54703df1df9026c6fbcc2902b76cd9a46da5c50a650db80d02cd919006b35be9189cb5ab4bcf864ae796d5e17
-
Filesize
2KB
MD5591f098038b7c9bc7e3409f8b429d495
SHA1a993c07c57099926a989fcfbb11ab26da9cac6d3
SHA256d3375beb92daea2d0ff8f990575bc6d67cf859b5490abd776f11fdd6da035d58
SHA5121d30a5d0ecefead493c790e679595e8d58b54af54703df1df9026c6fbcc2902b76cd9a46da5c50a650db80d02cd919006b35be9189cb5ab4bcf864ae796d5e17
-
Filesize
10KB
MD5c07d0964debf0c61bd847524403637af
SHA18d3ab4ab871c3db021f080b07d25d2cbb6318415
SHA2562dedc8b402b712b41ead730c568e3ebfd58a00b6c34c12dff97dc58ea3d90d07
SHA512279f63e971fef7b886ffc307318c40a803a0a4b9d6df5a63875954f88e2ada04f4f3830e3e282a43f5aa08617f3b32b7babcbef1108dda3bfbb29c5bd0859981
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576