Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2023, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
Resource
win10v2004-20230915-en
General
-
Target
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe
-
Size
239KB
-
MD5
2c8fc97d5d80ee9c7abc1ce63a14ad43
-
SHA1
9aedb339d299a69f7a0bd2a1dd7d96e8741324b7
-
SHA256
42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7
-
SHA512
e10c42f0910bd4d340a5dad9d788c043a381824beb600ba9410cc21bcbbe22ae287f440c1062f43e4aed60e601401cacb63d9aebb31927133f97196fe125e33e
-
SSDEEP
6144:n846fuYXChoQTjlFgLuCY1dRuAOhbCIGGQYw8y0:nlYzXChdTbv1bunC0w8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 3904 iatgfca -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3144 set thread context of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3760 3144 WerFault.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 224 AppLaunch.exe 224 AppLaunch.exe 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 224 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3144 wrote to memory of 224 3144 42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe 86 PID 3180 wrote to memory of 2964 3180 Process not Found 100 PID 3180 wrote to memory of 2964 3180 Process not Found 100 PID 2964 wrote to memory of 2208 2964 cmd.exe 102 PID 2964 wrote to memory of 2208 2964 cmd.exe 102 PID 2208 wrote to memory of 4116 2208 msedge.exe 105 PID 2208 wrote to memory of 4116 2208 msedge.exe 105 PID 2964 wrote to memory of 5024 2964 cmd.exe 104 PID 2964 wrote to memory of 5024 2964 cmd.exe 104 PID 5024 wrote to memory of 4856 5024 msedge.exe 106 PID 5024 wrote to memory of 4856 5024 msedge.exe 106 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 4736 5024 msedge.exe 108 PID 5024 wrote to memory of 408 5024 msedge.exe 107 PID 5024 wrote to memory of 408 5024 msedge.exe 107 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 PID 5024 wrote to memory of 4840 5024 msedge.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 2482⤵
- Program crash
PID:3760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3144 -ip 31441⤵PID:60
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0CF.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd2dd446f8,0x7ffd2dd44708,0x7ffd2dd447183⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2593899697362149130,12236240131630768222,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:23⤵PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2593899697362149130,12236240131630768222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵PID:4812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2dd446f8,0x7ffd2dd44708,0x7ffd2dd447183⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:83⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:13⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:83⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:83⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:13⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:13⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:13⤵PID:5040
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1256
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:768
-
C:\Users\Admin\AppData\Roaming\iatgfcaC:\Users\Admin\AppData\Roaming\iatgfca1⤵
- Executes dropped EXE
PID:3904
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50987267c265b2de204ac19d29250d6cd
SHA1247b7b1e917d9ad2aa903a497758ae75ae145692
SHA256474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264
SHA5123b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD51aa73374c002819995cfe7b131295246
SHA1ad0243a706bc00c520c64641f401d40d2125017b
SHA256453e2bab1de906d72556034114bc54e64d16969e65a859c0541256a357ee8cfd
SHA5129adcb1266997490b2f86933233eff2c6a3963ce50b6ad720e47e5c815e130d461c051cc53216fdde0902bb798014f1b3a9fc1e920f518e31ccf26db1e5a9b4d0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD50841221c228ce399e1bcefb5de421b52
SHA1f8ba25b67ac2a6531d60af6895915ec933681b6a
SHA25605b728e0723d53969db65551153d875ba957981a6bdcfc7fc573effc4dfe9fda
SHA5121744c22a19604e53ef31f259c2d5abf9e8b4a06a7dcd8e83e945728d5e2fa2cd2c4de77cc3dd820a713cbc8763e5cbe1d4a25e0a13dd04b4dbc28b33d71a3cf6
-
Filesize
5KB
MD50b8f80cd578c6d6848f0e06e0914e698
SHA1ae29c2acb244154bb86d6a6fe5fc13f06f7bc7d5
SHA256bb84c99f9ab769a4da168c2c6ed10ae4fadedb0d783a882f52a13c3190f813e8
SHA512075ee6d36d90ff018dfbce2505184b6f3796b75fc927aafaabb915369c937f26b2221cf754ee81bb431a3b3e69fc29e8413a3ccdb2a16a082d54969e549f8220
-
Filesize
6KB
MD57442b2e6fde6f604d8308eb84dd559e9
SHA11a9285267d6d1159aea1aa9408afe811e816c5fc
SHA256b37789dba1f67afccd35e204946412e3af53269e32ecc879fdafd44b38505d7a
SHA512bd1c625c8711edaea308711f6fe370348a7cb559a7ebbe2ffd9140d90041e30ebc1bb585c3b66db63501c97c3559420b178f89f741d0d687d9854d75847cc2a4
-
Filesize
24KB
MD54a078fb8a7c67594a6c2aa724e2ac684
SHA192bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6
-
Filesize
872B
MD538919804f77a692b14d40b66f0b81e01
SHA13a5bc536d87bc1a00b108ffd2924ec368a69149b
SHA25659af0ac1577ec62dffc15672e69a90295773d284e00c46e510464295c55adae6
SHA5120195080691b43faef306ed3ab2ef8b1e2c08fbdc82449366d321044c1c3515d5d267c4bcdf634fcefcee76a4d93f0b1385f9a30ba922bced706bbc565db93629
-
Filesize
872B
MD5d0790b39705d7942985dadedfef42fc5
SHA1c0a2f73742f035e29632d0c46e132ee0f2887791
SHA256c614d044b0b48ed663cdf99b4c2511b552db3f8267812d3ca5eac67a371f9d70
SHA5124de42a7092724509003ba881d583d579d1ad91ccf53cdb5d61f5360a943b3b8511961d8c8d3b1bb44fa3ddedb47c88067840cca3c8d4f3af8c746a6c471ed7e9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5b5d28177364c290b0ea9e4f4d56f34ae
SHA1cee5553f0c0751d5d359bde76805b9271eb4bcc1
SHA256a02ca08db2cb2768082b22178758f6b4784841bbcc212768ac17961115673be6
SHA512a1499293ef327f6900945aecdee85bc2c864f82b4f1969089a44f0809fb418cf087d450240e881f7c0cd336d6df432347e42b64d21d3ec7a7f1a7d1cbc458e5a
-
Filesize
2KB
MD5b5d28177364c290b0ea9e4f4d56f34ae
SHA1cee5553f0c0751d5d359bde76805b9271eb4bcc1
SHA256a02ca08db2cb2768082b22178758f6b4784841bbcc212768ac17961115673be6
SHA512a1499293ef327f6900945aecdee85bc2c864f82b4f1969089a44f0809fb418cf087d450240e881f7c0cd336d6df432347e42b64d21d3ec7a7f1a7d1cbc458e5a
-
Filesize
10KB
MD567f2525eca1c7e72b26d1100c2762036
SHA1fc62ab3c52d46bfd6a741bddeb82b3dca465d2f8
SHA2562f2c46e42651b130874a88713e7d1f5e2b5888c2984af87ab361a282f3e11619
SHA512ec2069013ee7117d202c9f40b9109efe8e1d943a2647091b8c1fe0366bfd3f0c08d21697be0c8870cbf722d16edec683aeb8b6817a7103fe63d19b726f2b93a3
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc