Resubmissions
12-02-2024 15:14
240212-smedwaae93 1018-01-2024 16:04
240118-thz1fsdeh5 1027-11-2023 17:24
231127-vyp1vsag72 1027-11-2023 17:23
231127-vykfdaag68 307-09-2023 17:34
230907-v5f2jacd3x 1007-09-2023 17:29
230907-v2xvwacd44 10Analysis
-
max time kernel
1027s -
max time network
1043s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
18-01-2024 16:04
General
-
Target
JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
-
Size
473KB
-
MD5
5ae1281ef3fd32f975133cd880be9ba8
-
SHA1
11f3e8bfb5443fe516ff6922e72ae005e1431e13
-
SHA256
e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea
-
SHA512
c7a2df58fc7b97ed642b4671ea2af9573ea9f6e8806c3251703b4d594a24a0463380eafcb7757dc4d732655c5f08d28776cf6d0e5597ea2377463c106de4e587
-
SSDEEP
12288:zMr0y904pAEvdXQzqmrQAQlMmHeNwwrGfI:XyxTNQzdZanQwwrGfI
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.0.47637765\87627224" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {995a2de7-5501-4188-9961-c017ded49876} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1964 1b19a3d2758 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.1.1494808449\2075390484" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {729879ae-fe1f-47b3-80e1-a93b6d22889b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2364 1b18da72b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.2.1896980119\921501017" -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3188 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47cb01a6-d72d-4f59-aa81-2dcae197d8f8} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3164 1b19a35bc58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.3.684290584\2036563722" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8596517c-db18-47ec-a4aa-b8ea83c43e41} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3644 1b19e4ba358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.4.1130380535\1080940293" -childID 3 -isForBrowser -prefsHandle 4420 -prefMapHandle 4416 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1fd2cc-91bd-4831-8453-d0bba5a5a5d0} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4428 1b1a00ede58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.7.974242995\984962522" -childID 6 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a063985-a0f2-4df0-b18e-7b4111dd635a} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5448 1b1a06b4258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.6.2042927665\300121739" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {330ccdba-6232-4f89-8575-4affa10a5f4c} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5260 1b1a06b2d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.5.1490436810\430194327" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 5004 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {018be28d-abc5-42cf-a009-484e3d19281c} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5128 1b1a06b2458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.8.2054348731\1247577442" -parentBuildID 20221007134813 -prefsHandle 5832 -prefMapHandle 5136 -prefsLen 26206 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b46cbac9-4bfd-43b7-b62a-b0c58f63ce25} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5840 1b1a2788f58 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.9.560966603\1629475774" -childID 7 -isForBrowser -prefsHandle 5980 -prefMapHandle 5832 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149e5780-76a6-4ea2-8e70-f919bc130c1b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5992 1b1a27ac258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.10.1677508538\156001176" -childID 8 -isForBrowser -prefsHandle 6296 -prefMapHandle 6300 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba0fdd48-9d86-4613-92a5-ff522cbd9cce} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 6316 1b1a2aa2b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.11.911257518\961410775" -childID 9 -isForBrowser -prefsHandle 6524 -prefMapHandle 6528 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad4f3f30-8232-4cb6-b904-89b7850de3ac} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 6512 1b1a2aa4358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.12.305051668\265039604" -childID 10 -isForBrowser -prefsHandle 6696 -prefMapHandle 6620 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d65a98e-a5dc-4ad6-9faf-0d5890196c99} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 6608 1b1a2aa3d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.13.585143486\1898924754" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5620 -prefMapHandle 5772 -prefsLen 26381 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10af1dd1-078f-40e4-be9d-0d2394275879} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4672 1b19e30aa58 utility3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb616446f8,0x7ffb61644708,0x7ffb616447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3132 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5847557882859564694,8450588961631816073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3644 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f246cc2c0e84109806d24fcf52bd0672
SHA18725d2b2477efe4f66c60e0f2028bf79d8b88e4e
SHA2560c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5
SHA512dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640
-
Filesize
6KB
MD5354bed00a8b48e46f2f109942bd5f27c
SHA1d812db0a36aeb6917154b94ddcd76ee97973121e
SHA25693d6b10a11829c3a2e82636ec0b173703b6f11b9dc17177f5578162e08da3614
SHA5121218d7d3ef97c501df43aef6f7b393bc71047a67449d85fbdd2e5c7ce7ed9cd706f1db94f46799388d610cbe38ae57f66c16c9bb98bb6ad3b2299932fd9a80e3
-
Filesize
696B
MD5c9b12e310ab2b7a04fdc4d2631f71cbe
SHA13f8ea007966489690859cc49e2f3e8044aa3a2b8
SHA25622ecadbbaa88aed926fe14341db860322c52c48832856ec1bd0ef01d086ecb8b
SHA512b32d0e7630ae616de2ea95c0e6263f7d9ff422f3e3f481445c386fc5bb558feef5859816484cd3484f4f4045e0c625b41997bd1afc371b62b3b15141d87c9b08
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5f31620e28d6791e3b9ce519ba7da1384
SHA1b6c9a063a4d6ad7dbc13e098321578e72db0a1d0
SHA256565f43ff3a421807bd0afb27903c429116a20e841882ca63187929515c1e5c87
SHA512d298262a980684949df3bc7c84cdafdd74b74d1ca3666f9a3e45c6d304a378f2c4d133d99d4770c7a502afa5084d90a333454847a54e759de0ec24a4185e4bc7
-
Filesize
6KB
MD569c97ad87e096f0e3a06041e6bc8f642
SHA1aa6eb54676fe38ef6bc869c35dbb52d6ddad30cd
SHA256fe817e954f0ac332b8253979fc25927437f014be2a97a140a0d222b1a401b14f
SHA5128f4cb07f185f4ce21fdf56540452674c4e5fdac9c288845da22c29782dcd9a514ed0af65999680551ecf52a9cbce13b1950c1b701c57f2eb3c58d97c2e69a1c5
-
Filesize
5KB
MD509c427379f543e5ce07518bf4b8f6dee
SHA1f76f0c18387633e77567a16b4d781e0984ecd0f9
SHA256c25b4b290b7e1e5fee5b5cfcf2d57d413f1d82c979ba8dd912fee4c7d0187ffe
SHA5120138ba329ebc6aaeed305addfb0600acf7abf5cf65a1dff80b9cbfe64cb9bd617329bc73adbcb19f9be4796bd64f1cc6a198983580f109543f02600998358a4c
-
Filesize
6KB
MD524dd2b2d4fc62748566243eb98352814
SHA19d0d4786ebebd0f6240c4ab56646eaa7e5f9bdff
SHA2563a437c597c014fb09bc2f53b101850cc6c01f6788c3853af32baf634d6a4ea48
SHA512b1da03f6f43ddab5aab1de2c8ff419e1a8471597fd3c1c9644645c2e0b43634e19ed5dda7657bef7894fbc080c082359c30e6cd4c36af675d07fcc34ce09e51f
-
Filesize
6KB
MD51086b3be045ba4c159614ef712163e3c
SHA112a792bc5939e21ee3bf906396c6132b6c340a7d
SHA256b8a0773876ff293f16433a64b28959468f30377f05e2237e8b880e35c534279e
SHA5121c6edf34b7e92224db1c055f416c8c4bd85dea025594dbd1bd4b9937fd731dc115769d65269615a82fdb02eeca6106fa09303d1e965c10a24313c5d08714b054
-
Filesize
24KB
MD55e62a6848f50c5ca5f19380c1ea38156
SHA11f5e7db8c292a93ae4a94a912dd93fe899f1ea6a
SHA25623b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488
SHA512ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5cdc6499b15ff5b81315a64ee5271fa06
SHA1f9ffe3dfc9fe84cb49c41cb8b20c7e7618360c26
SHA256095ebc0dbe46157bc58ef844350dffc9387dfe7c6b604a0839151d556441237b
SHA5121463820a81ca210718f66113a60d7c25de2b60b92a4afb5c85d640111e7e87ec810183c1742c17da87000daf0a5ee6cb46f10ab9d49bdffbdd67566dc8682bf7
-
Filesize
371KB
MD577b13a3fd07083ce83966ad88c56783f
SHA1f233315220091a448f740a6ad71cd7b45ecaae92
SHA2565fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8
SHA512e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e
-
Filesize
206KB
MD5ef4b98983a112ab0cd247faf227bd5e1
SHA16e117ab856666570dd067008aabe5fcd9f0735ac
SHA2566639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620
SHA512adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221
-
Filesize
12KB
MD59403417cabef4a164263a6d85bfddba5
SHA13c1f1b1c7e911b93933d8c116a6bfd305ce03d18
SHA2567a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9
SHA512f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991
-
Filesize
176KB
MD5486ce910a0924bb56ac5d8d7db61e7c0
SHA188139cdedbe75eb1441972b4bd5b498c1eb2e38c
SHA2568511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9
SHA5120b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2KB
MD54f967b1e131920d5d7c6b688ececa9bf
SHA183eaa89b487719c8ae588c307449a9c498b70a53
SHA256078aaf3ace6630202547e14acce854fc2d7e0d4ef9a5a6dc4da3790b4be0bb6b
SHA512e872121e913147951c8c2df02b64bd6cf8bccf1b4e2ccfbf1f2aacd61d6779d7e85744aa1eb113bb66eda40f9bca25d5d141e31f19e22379393cfc68711a725a
-
Filesize
746B
MD5147a03c4050201a83d3ac2de983fe7a4
SHA1d28e3b8266c5bcc5edf52c70ee88f9ced59d4ec3
SHA2565bf4114731109fcd424ee0d94192c88df3cec48ed2f42e8afa5394bfd026a6de
SHA512eba6443ab465a2e68f8c7aeaee084fa68fecf3a38932d0b31734917000c5b05f5ae5f34fc2268057724018e3cb6daa94c9bc1e46cc30a983627f84823966b05d
-
Filesize
12KB
MD5dceac4031d9a956e5da6a4f88692e36b
SHA17b17fc6d16bf64d2db9422e005113a35f914c503
SHA2566d1c4d5612c1f1a21db5259eb0f370d1f861afdb6dd90055abff3fb5392f5a87
SHA512d0d2cb7a8bc4f0314410b279701ffca5c2a0bdd91ad48a9d544647896c316fcac22960700538b45cc11323faf7ffd553b8d348e68c5adc2e263090776165b784
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5f97fd3d2a816a3f8992bf6fa7889c0de
SHA11af12941368be365b5db3863dfb38f03c2027038
SHA25609b1dd18a8c739917c730daca39587e28487d86438bb9af7691bb8631e1bca01
SHA512c48395954e69ae1b0c8f5df16cd3bf5f33586c013a1a1957788926ee79db24d8a4fdb180acff9177e270d87febc04d7219552850dd6e5c8130e6654b26dc955e
-
Filesize
7KB
MD54a66bfc68ca9e41104e9544891ade92a
SHA122f02baa64cc6e226e274fd7528457147d3ab5b4
SHA256cffe29c365072c97c6efb3c9a2555144b309d5ff0c04ed13cbd110a32d7e3fa9
SHA5121ef97906f5218849d067bd666668a4c193ce91b0a1869de39c3f61c16316d2c3bb7695115a146ba20983aafc9f97fa251b77da912854a6ab8a0ed77cd5f817d8
-
Filesize
6KB
MD58e14b6a237e9427538767dde4dc1bb21
SHA134287651dcca1269c9f8d002f0ab2fd336cb1065
SHA2564e3848e1b6d89165cd351734efc4bb034aa6421f9d5a62100029f9d6dee7e4e6
SHA512a3f2511ef85719d795920c743ab609b883ed8158d13e0548495b9b612ba0b1c1c0324832391262835528df0933b9d0a47a86da2614a691d2076f29efb616680d
-
Filesize
7KB
MD5799fabc1b2d6704748b3e5bed99f87b7
SHA1ff7c55166635be2d32a1df9f5391f613a788a9c3
SHA256274fc30a9ad2736a6812b0b6e8915ee5d9edf405a3ef6c94e0a1ca4110ad47d6
SHA512802ce08981ddec9c748b6eb858f275f02a7d4b9bf128a249091a9f5a0cfc65526052148ec7b9286203f8c0b0b759b50492d60da9224247cfdddc4ad2ff605ac1
-
Filesize
6KB
MD54213c1cee1657c763e9cfcb16814bd28
SHA13a447c4c8de4d92e2dbcabadaeab16e4ca370b44
SHA2562c74c26c5d3cf7e6c45554414a06d3de35d11ac6ae813e990939f5ec2725a726
SHA51210b082732eeb7766eded442ab7c1a5292de5f985a1e02ae619eb6dc962b5c19a799ab742261f10a1aeec04db35160158de2d84e5563edf70650d88e8357d4975
-
Filesize
2KB
MD55cbcec54c5b97e6a6d0deb1b380732ff
SHA18ffa9395e6e04537afc4654a90f152e6d3e84f80
SHA256077ebdcf1c8fb8a535a4a63e9d91a94c6464760f3d78ff8d2f69c719a30ec194
SHA5123190d902fa2ff1ce8ccfb787764b4fa567923b7045e274152b65177fb4895b352fb2410e696455c7971b803859184d2cc232c178e798a34f6ec14d0f3a3c9412
-
Filesize
1KB
MD5264f8008142fdc0f4126c0db5db70885
SHA164cae926d23d5b5ac23ffe19259c27738521f9a6
SHA25624b026e7e91c2936f6710d1761e8f4ba0e89941a03b03881512b8dacf32fbcd7
SHA51214d4820e992d41e6a9c30809e027c97f2fcf91b60fdc8a939635eb3b477eb1f99018576146ab30498214abf74a51fbea1c0619801c8e0ef6a255689f09829cd0
-
Filesize
16KB
MD56839b28aecbd165605349851b9f9d9c4
SHA1ec894b3b75121b1a16b42d1001dda1f159e16659
SHA256e17233e0ce1e2a9c5e531c5610e9e811731a2595e348edc2ca8e977d3de2e1d2
SHA51229f7f5b1fc299b50440120c26b3d1fb1b7c805fd1c40793f4e86d5fa23784f6e45e93f7c834bf63cf541d1f1eadba29612d30f343569c1a9157c30265e660e57
-
Filesize
16KB
MD564fd17e170fab2cd11acf6138f089125
SHA131e402ee249321714564607edaa63dc3f9290766
SHA2566b0560b75db72b94777e7ff9591ac542aa79187421c42bea1a5955e86a83dfdd
SHA5120bea13174ed3dc2615ec6f6cd51402574184ebccc530305e846806c1544739fcead94bbab2069bb632b8a47d5a515e309b6e05af78159c772d11385f2b4b721f
-
Filesize
2KB
MD592275517a4ea399f12fd90f891c717f2
SHA140d505db84e8077cdcb0e7c333a642768f80eed0
SHA25670869327de88f366afac68e353fc041d1eb18f6ba55790176796814695b9bdc3
SHA5126e17fe65fe64fffd160c3c42f14f2688333019b9a3ed10207d4f42cc2adfc4c3e9617415af17ebf8c81cd33709ec93b29536d98de8891aadd28d2f9618a94517
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB