Analysis
-
max time kernel
231s -
max time network
249s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
9fb83ad6d8c549b8067f68dbe5a4f8a8.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
9fb83ad6d8c549b8067f68dbe5a4f8a8.exe
Resource
win10v2004-20231020-en
General
-
Target
9fb83ad6d8c549b8067f68dbe5a4f8a8.exe
-
Size
916KB
-
MD5
9fb83ad6d8c549b8067f68dbe5a4f8a8
-
SHA1
1c9da67bf16b6ac6a7b23623de45f3b8b33a39d9
-
SHA256
1d6df5e2a42f4a61b60cf45a65897cdb1fe9b81958cb46d56157f58f574f959e
-
SHA512
9c1c1d5614c57e650c843489c073b7fc86daa89ad810cbdce76764bb055b615f50fc794f79bc8543dd596bdc6b4ae78f895926711a29f5e9b057c04a3e702380
-
SSDEEP
24576:FjmtwAOC4b6XFHHHHHHHHHHHEsy9pVrl2uN:cOC4b61HHHHHHHHHHHapj
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
supera
77.91.124.82:19071
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral2/files/0x0008000000022e0b-23.dat family_redline behavioral2/files/0x0008000000022e0b-32.dat family_redline behavioral2/memory/2228-48-0x00000000020B0000-0x000000000210A000-memory.dmp family_redline behavioral2/memory/2228-56-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral2/memory/1576-70-0x0000000000190000-0x00000000001CE000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 2168 EC6.exe 3640 1138.exe 1576 4A6B.exe 4448 4B56.exe 1120 5B74.exe 2228 72C6.exe 1960 xX7ua4SD.exe 4404 Bk3RY4Kp.exe 1560 942A.exe 4912 ou7PG9gE.exe 1784 F68F.exe 4304 92D.exe 3540 20BD.exe 2080 kn6hB2OQ.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Bk3RY4Kp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ou7PG9gE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" EC6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xX7ua4SD.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 888 AppLaunch.exe 888 AppLaunch.exe 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found 3228 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3228 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 888 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found Token: SeShutdownPrivilege 3228 Process not Found Token: SeCreatePagefilePrivilege 3228 Process not Found -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4852 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 86 PID 2148 wrote to memory of 4852 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 86 PID 2148 wrote to memory of 4852 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 86 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 2148 wrote to memory of 888 2148 9fb83ad6d8c549b8067f68dbe5a4f8a8.exe 87 PID 3228 wrote to memory of 2168 3228 Process not Found 90 PID 3228 wrote to memory of 2168 3228 Process not Found 90 PID 3228 wrote to memory of 2168 3228 Process not Found 90 PID 3228 wrote to memory of 3640 3228 Process not Found 91 PID 3228 wrote to memory of 3640 3228 Process not Found 91 PID 3228 wrote to memory of 3640 3228 Process not Found 91 PID 3228 wrote to memory of 4872 3228 Process not Found 92 PID 3228 wrote to memory of 4872 3228 Process not Found 92 PID 3228 wrote to memory of 1576 3228 Process not Found 94 PID 3228 wrote to memory of 1576 3228 Process not Found 94 PID 3228 wrote to memory of 1576 3228 Process not Found 94 PID 4872 wrote to memory of 576 4872 cmd.exe 95 PID 4872 wrote to memory of 576 4872 cmd.exe 95 PID 3228 wrote to memory of 4448 3228 Process not Found 96 PID 3228 wrote to memory of 4448 3228 Process not Found 96 PID 3228 wrote to memory of 4448 3228 Process not Found 96 PID 3228 wrote to memory of 1120 3228 Process not Found 97 PID 3228 wrote to memory of 1120 3228 Process not Found 97 PID 3228 wrote to memory of 1120 3228 Process not Found 97 PID 3228 wrote to memory of 2228 3228 Process not Found 98 PID 3228 wrote to memory of 2228 3228 Process not Found 98 PID 3228 wrote to memory of 2228 3228 Process not Found 98 PID 2168 wrote to memory of 1960 2168 EC6.exe 101 PID 2168 wrote to memory of 1960 2168 EC6.exe 101 PID 2168 wrote to memory of 1960 2168 EC6.exe 101 PID 4872 wrote to memory of 5100 4872 cmd.exe 102 PID 4872 wrote to memory of 5100 4872 cmd.exe 102 PID 1960 wrote to memory of 4404 1960 xX7ua4SD.exe 105 PID 1960 wrote to memory of 4404 1960 xX7ua4SD.exe 105 PID 1960 wrote to memory of 4404 1960 xX7ua4SD.exe 105 PID 576 wrote to memory of 4664 576 msedge.exe 103 PID 576 wrote to memory of 4664 576 msedge.exe 103 PID 3228 wrote to memory of 1560 3228 Process not Found 106 PID 3228 wrote to memory of 1560 3228 Process not Found 106 PID 3228 wrote to memory of 1560 3228 Process not Found 106 PID 5100 wrote to memory of 2664 5100 msedge.exe 104 PID 5100 wrote to memory of 2664 5100 msedge.exe 104 PID 4404 wrote to memory of 4912 4404 Bk3RY4Kp.exe 107 PID 4404 wrote to memory of 4912 4404 Bk3RY4Kp.exe 107 PID 4404 wrote to memory of 4912 4404 Bk3RY4Kp.exe 107 PID 3228 wrote to memory of 1784 3228 Process not Found 108 PID 3228 wrote to memory of 1784 3228 Process not Found 108 PID 3228 wrote to memory of 1784 3228 Process not Found 108 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 PID 5100 wrote to memory of 2820 5100 msedge.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb83ad6d8c549b8067f68dbe5a4f8a8.exe"C:\Users\Admin\AppData\Local\Temp\9fb83ad6d8c549b8067f68dbe5a4f8a8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\EC6.exeC:\Users\Admin\AppData\Local\Temp\EC6.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX7ua4SD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX7ua4SD.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bk3RY4Kp.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bk3RY4Kp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou7PG9gE.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou7PG9gE.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kn6hB2OQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kn6hB2OQ.exe5⤵
- Executes dropped EXE
PID:2080
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1138.exeC:\Users\Admin\AppData\Local\Temp\1138.exe1⤵
- Executes dropped EXE
PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2A40.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe61a546f8,0x7ffe61a54708,0x7ffe61a547183⤵PID:4664
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe61a546f8,0x7ffe61a54708,0x7ffe61a547183⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:23⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:83⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:13⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:13⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:13⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9541196144073318164,6469762856953464650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:13⤵PID:404
-
-
-
C:\Users\Admin\AppData\Local\Temp\4A6B.exeC:\Users\Admin\AppData\Local\Temp\4A6B.exe1⤵
- Executes dropped EXE
PID:1576
-
C:\Users\Admin\AppData\Local\Temp\4B56.exeC:\Users\Admin\AppData\Local\Temp\4B56.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Users\Admin\AppData\Local\Temp\5B74.exeC:\Users\Admin\AppData\Local\Temp\5B74.exe1⤵
- Executes dropped EXE
PID:1120
-
C:\Users\Admin\AppData\Local\Temp\72C6.exeC:\Users\Admin\AppData\Local\Temp\72C6.exe1⤵
- Executes dropped EXE
PID:2228
-
C:\Users\Admin\AppData\Local\Temp\942A.exeC:\Users\Admin\AppData\Local\Temp\942A.exe1⤵
- Executes dropped EXE
PID:1560
-
C:\Users\Admin\AppData\Local\Temp\F68F.exeC:\Users\Admin\AppData\Local\Temp\F68F.exe1⤵
- Executes dropped EXE
PID:1784
-
C:\Users\Admin\AppData\Local\Temp\92D.exeC:\Users\Admin\AppData\Local\Temp\92D.exe1⤵
- Executes dropped EXE
PID:4304
-
C:\Users\Admin\AppData\Local\Temp\20BD.exeC:\Users\Admin\AppData\Local\Temp\20BD.exe1⤵
- Executes dropped EXE
PID:3540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c0168efbb077a0ae9c70928eb9abdb50
SHA1c25014d65c561a440dd67b427108e2f8a3871d1b
SHA256bd74a055a523af5002e53ad2b978d86eff5253c6086d2523e4254ac28c7a9155
SHA512c37cf313d6b4e3f1edef7f42a36a7774e1417bc50d66da988ff095420e41a264758de3c42dce750fa5f32cf9aa261701aa8ba27ca95362b905807efda4449968
-
Filesize
152B
MD5343ca9587187b86659117d6ed1739038
SHA1f4cd3969c484c8a7762a32e0c48177eb0c052192
SHA256f3ccde758353e693b67cb2574e5d60b2a3dfe4160cbca320f87e5744c237dca4
SHA512b5c89fbe234ca151cb505909a5c0f5e06a0e48f999481d18232021c45bce6ccb27c7bf574f19d45fe05fc1705e95fe71ca06c1db77231561b33768337b4fe3d3
-
Filesize
152B
MD5c0168efbb077a0ae9c70928eb9abdb50
SHA1c25014d65c561a440dd67b427108e2f8a3871d1b
SHA256bd74a055a523af5002e53ad2b978d86eff5253c6086d2523e4254ac28c7a9155
SHA512c37cf313d6b4e3f1edef7f42a36a7774e1417bc50d66da988ff095420e41a264758de3c42dce750fa5f32cf9aa261701aa8ba27ca95362b905807efda4449968
-
Filesize
152B
MD5c0168efbb077a0ae9c70928eb9abdb50
SHA1c25014d65c561a440dd67b427108e2f8a3871d1b
SHA256bd74a055a523af5002e53ad2b978d86eff5253c6086d2523e4254ac28c7a9155
SHA512c37cf313d6b4e3f1edef7f42a36a7774e1417bc50d66da988ff095420e41a264758de3c42dce750fa5f32cf9aa261701aa8ba27ca95362b905807efda4449968
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
222KB
MD5733214683f328750c9be7db99d101fbf
SHA127e9a0d8dc7c9d1d709931b90827b4da11bb8818
SHA256f77b7ca5a45ac3f71e065a73ba1e708d83fdcbde877b8a794942c04ba81d738a
SHA51289abca8b828698961959cf5eb751f6d13c4d6c3de58269c99c6e3971cafa0aae91fb7a379a72900ed6dd290bc77dcac1aa9a0caea74078cbae83c6cd2428e7c5
-
Filesize
222KB
MD5733214683f328750c9be7db99d101fbf
SHA127e9a0d8dc7c9d1d709931b90827b4da11bb8818
SHA256f77b7ca5a45ac3f71e065a73ba1e708d83fdcbde877b8a794942c04ba81d738a
SHA51289abca8b828698961959cf5eb751f6d13c4d6c3de58269c99c6e3971cafa0aae91fb7a379a72900ed6dd290bc77dcac1aa9a0caea74078cbae83c6cd2428e7c5
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
496KB
MD5ba5914a9450af4b5b85f409ed8ce12bf
SHA1dc2b6815d086e77da1cf1785e8ffde81d35f4006
SHA25606af574de808d01d65f985b01f6d2910e627f95429bff8bcce246ee2525f1fe7
SHA512b0ad3528ce306c4bf674b1e091d8bbe0de731edf0ccecdcd6226e9876be34930a6ef8a4ab7c25da2de66324986142512d2a6d1be338c7887fb4e4d23aa986d92
-
Filesize
496KB
MD5ba5914a9450af4b5b85f409ed8ce12bf
SHA1dc2b6815d086e77da1cf1785e8ffde81d35f4006
SHA25606af574de808d01d65f985b01f6d2910e627f95429bff8bcce246ee2525f1fe7
SHA512b0ad3528ce306c4bf674b1e091d8bbe0de731edf0ccecdcd6226e9876be34930a6ef8a4ab7c25da2de66324986142512d2a6d1be338c7887fb4e4d23aa986d92
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
11.5MB
MD5fd78a9c1e52044e9860cabd8e3b65a58
SHA135f102702fcb71f438d2adbebe5ca7962279f9d8
SHA2568fa813e6be834da063c8e38cc29134e40a571e1ab0d4d0ad481c80b19d0762ad
SHA51205939b29baddfdc5de3582198d1c6ab64bcc26e8e6830d4f7cbb78bf9dab16c743b686464e07b9fff9a70b9d5a2affe36953af24ef9a313e7fe0deacd62c5b49
-
Filesize
11.5MB
MD5fd78a9c1e52044e9860cabd8e3b65a58
SHA135f102702fcb71f438d2adbebe5ca7962279f9d8
SHA2568fa813e6be834da063c8e38cc29134e40a571e1ab0d4d0ad481c80b19d0762ad
SHA51205939b29baddfdc5de3582198d1c6ab64bcc26e8e6830d4f7cbb78bf9dab16c743b686464e07b9fff9a70b9d5a2affe36953af24ef9a313e7fe0deacd62c5b49
-
Filesize
1.5MB
MD50f4e0c0aef8c5adbebe41c4eb170bcb3
SHA1c7582cf042d656e85ce61131c5c3dacfa927a911
SHA2567322180ba01b2120897f5891145667a300748066a4e67e847140cbfdabaa4d4c
SHA5129126216f498f8e61cdf1a7131e27db19442b0b17ab6fee6b3863e445fb552fbb30fee0097f23a3ede4967588bfc811b31f70940e1e11074aee1ff3436bb91049
-
Filesize
1.5MB
MD50f4e0c0aef8c5adbebe41c4eb170bcb3
SHA1c7582cf042d656e85ce61131c5c3dacfa927a911
SHA2567322180ba01b2120897f5891145667a300748066a4e67e847140cbfdabaa4d4c
SHA5129126216f498f8e61cdf1a7131e27db19442b0b17ab6fee6b3863e445fb552fbb30fee0097f23a3ede4967588bfc811b31f70940e1e11074aee1ff3436bb91049
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
1.3MB
MD538f35beb6d867592a6cc47c6c1b7a391
SHA10ea405f8b74d018b715e7a9adfade37e312e0a23
SHA256038502b3083704dc97b958601f131ded0457eb4ac0b63f33a4f03f6d8c253dca
SHA512587cf9851ab042dad58debe5df13518a84edde7b922b92c1572005e4c71977a824ce562ea252ee2aae6f907e4f35720d34091fd76f062b12476d1a3d2d2545cf
-
Filesize
1.3MB
MD538f35beb6d867592a6cc47c6c1b7a391
SHA10ea405f8b74d018b715e7a9adfade37e312e0a23
SHA256038502b3083704dc97b958601f131ded0457eb4ac0b63f33a4f03f6d8c253dca
SHA512587cf9851ab042dad58debe5df13518a84edde7b922b92c1572005e4c71977a824ce562ea252ee2aae6f907e4f35720d34091fd76f062b12476d1a3d2d2545cf
-
Filesize
1.2MB
MD56ca7ee021bfc24fbe2a1cc7aef717989
SHA1edf9037219ca4511048ef40a0cc3264ef4c76f77
SHA256f746ce0f9e4fadae54c520fdd178101146a491b474389862d43f19a48b906ebf
SHA5129f75a4dbc9a80ac5bc4cd9799dec19f67db3b4da5322ed169d7876b2ec3aca5623931adc22764456cf73038a0f15d3f155cf825c40235b180222bd731a67be33
-
Filesize
1.2MB
MD56ca7ee021bfc24fbe2a1cc7aef717989
SHA1edf9037219ca4511048ef40a0cc3264ef4c76f77
SHA256f746ce0f9e4fadae54c520fdd178101146a491b474389862d43f19a48b906ebf
SHA5129f75a4dbc9a80ac5bc4cd9799dec19f67db3b4da5322ed169d7876b2ec3aca5623931adc22764456cf73038a0f15d3f155cf825c40235b180222bd731a67be33
-
Filesize
761KB
MD59ec02d76fc395b3345ca42b73d30bcfe
SHA18652879a3e9ca49822d7739d6ac13dea2ff6852b
SHA2560b6531c4c93bc6c818c49d000e7e24064b9fb20c2cafe38cd83d6397bfd43341
SHA512d34acbabbdeca22845cbc53dd44612c7c1b4bafabcf6e606989781208019f7d93bd5a160c7328ee8d61fa33a3116e901698ccaa28acf8bab14e59283d104006d
-
Filesize
761KB
MD59ec02d76fc395b3345ca42b73d30bcfe
SHA18652879a3e9ca49822d7739d6ac13dea2ff6852b
SHA2560b6531c4c93bc6c818c49d000e7e24064b9fb20c2cafe38cd83d6397bfd43341
SHA512d34acbabbdeca22845cbc53dd44612c7c1b4bafabcf6e606989781208019f7d93bd5a160c7328ee8d61fa33a3116e901698ccaa28acf8bab14e59283d104006d
-
Filesize
565KB
MD583bc9eadeb2ea1a8c71cfb0445a63b50
SHA19cd2f9f2742fffa6439a70015edd896b44fab0e4
SHA2565ea5582061ab0c4233a81ab8913661d4fae653d8f77becbd458116d1295ff29b
SHA5129ee06b1a46486e0ceba60e95940d249a602fbc21c5d4f91ecbd402bb2310ca9e43e2da8c661bcbe6aacab2cb8a9fc1ebcbb0dad29e3c8ede871a8615e891423d
-
Filesize
565KB
MD583bc9eadeb2ea1a8c71cfb0445a63b50
SHA19cd2f9f2742fffa6439a70015edd896b44fab0e4
SHA2565ea5582061ab0c4233a81ab8913661d4fae653d8f77becbd458116d1295ff29b
SHA5129ee06b1a46486e0ceba60e95940d249a602fbc21c5d4f91ecbd402bb2310ca9e43e2da8c661bcbe6aacab2cb8a9fc1ebcbb0dad29e3c8ede871a8615e891423d