Analysis
-
max time kernel
98s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 18:19
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Set-up.exeSet-up.exeSet-up.exepid process 5324 Set-up.exe 5632 Set-up.exe 6028 Set-up.exe -
Loads dropped DLL 23 IoCs
Processes:
Set-up.exeSet-up.exeSet-up.exewin_rtm.090713-1255.exewin_rtm.090713-1255.exepid process 5324 Set-up.exe 5324 Set-up.exe 5324 Set-up.exe 5324 Set-up.exe 5324 Set-up.exe 5324 Set-up.exe 5324 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 5632 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 6024 win_rtm.090713-1255.exe 1928 win_rtm.090713-1255.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Set-up.exeSet-up.exeSet-up.exedescription pid process target process PID 5324 set thread context of 5592 5324 Set-up.exe cmd.exe PID 5632 set thread context of 5756 5632 Set-up.exe cmd.exe PID 6028 set thread context of 6120 6028 Set-up.exe cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 3 IoCs
Processes:
7zFM.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeSet-up.execmd.exeSet-up.exeSet-up.execmd.execmd.exepid process 2292 msedge.exe 2292 msedge.exe 4920 msedge.exe 4920 msedge.exe 4000 identity_helper.exe 4000 identity_helper.exe 700 msedge.exe 700 msedge.exe 5324 Set-up.exe 5324 Set-up.exe 5592 cmd.exe 5592 cmd.exe 5592 cmd.exe 5592 cmd.exe 5632 Set-up.exe 5632 Set-up.exe 6028 Set-up.exe 6028 Set-up.exe 5756 cmd.exe 5756 cmd.exe 5756 cmd.exe 5756 cmd.exe 6120 cmd.exe 6120 cmd.exe 6120 cmd.exe 6120 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 3240 7zFM.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Set-up.exeSet-up.execmd.exeSet-up.execmd.execmd.exepid process 5324 Set-up.exe 5632 Set-up.exe 5592 cmd.exe 6028 Set-up.exe 5756 cmd.exe 6120 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXE7zFM.exedescription pid process Token: 33 4044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4044 AUDIODG.EXE Token: SeRestorePrivilege 3240 7zFM.exe Token: 35 3240 7zFM.exe Token: SeSecurityPrivilege 3240 7zFM.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zFM.exepid process 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 3240 7zFM.exe 3240 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe 4920 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4920 wrote to memory of 1036 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 1036 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4564 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 2292 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 2292 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe PID 4920 wrote to memory of 4792 4920 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/Zf9EGZyJ#WyV0aNq1kd2URWcvzdClSQTqGxdn3LZHTC4HMDc-_Tg1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9b3a46f8,0x7ffc9b3a4708,0x7ffc9b3a47182⤵PID:1036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:4564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3928
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵PID:1656
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:1076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:3736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:60
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:1044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:4240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:5016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,10743867026883395471,10383124532156864605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4908
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4960
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4408
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_@!File_2024_ṔḁṨṨẄṏṛḒ#.zip\@!File_2024_ṔḁṨṨẄṏṛḒ#\@!File_2024_ṔḁṨṨẄṏṛḒ#.rar"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3240
-
C:\Users\Admin\Downloads\Set-up.exe"C:\Users\Admin\Downloads\Set-up.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exeC:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exe3⤵
- Loads dropped DLL
PID:6024
-
C:\Users\Admin\Downloads\Set-up.exe"C:\Users\Admin\Downloads\Set-up.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exeC:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exe3⤵
- Loads dropped DLL
PID:1928
-
C:\Users\Admin\Downloads\Set-up.exe"C:\Users\Admin\Downloads\Set-up.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6120 -
C:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exeC:\Users\Admin\AppData\Local\Temp\win_rtm.090713-1255.exe3⤵PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a65ab4f620efd5ba6c5e3cba8713e711
SHA1f79ff4397a980106300bb447ab9cd764af47db08
SHA2563964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76
SHA51290330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9
-
Filesize
152B
MD5854f73d7b3f85bf181d2f2002afd17db
SHA153e5e04c78d1b81b5e6c400ce226e6be25e0dea8
SHA25654c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4
SHA512de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5be1680600e991c62040c2e38fbf19099
SHA1586c4c4b58b9f73b913cb86dc0eda5dcf655e342
SHA256b2596bddfeb7eb28015977ed900e95bdd053f1b103a184678784d8cb2f3ecc82
SHA5125afa9a562763f49e3cb76798c76fd427269da91475a7c24da165128ce5108d9c6c4aa175ce7bbff107c3c63debba49a90dd10fa579d6bc53456391b7f5bc195c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD53bdbdc81ab2c1d98e113ffeb108cc08b
SHA11aea72c5cabc366c817f68b5ce9525912880fccd
SHA256b107f4e67eaee96c5918a1dd2c87758641ef7eaa9411a2eb6d46a2d42dfeecbc
SHA5125ddaaae38b1016792c1786d89c4616d620d002e016ceb63c6ed9f0af6ef6d35fb8305fe918c0e8193eb823cf503c8cfb85f634a1874be71b57bbd062a2eb98d6
-
Filesize
6KB
MD54cdb49b2d0fdaf897fb4eed1eaecaf5a
SHA1494a33ddb44dd4d0f357dc8d6c5c4757e6df9c88
SHA2560a636889413462a2d7d89155c59c12b6b5f48435b7b631beac83d9c837833244
SHA51220e6dd934d897531c1f89144d8f8774e8fbf2386c113a66499126b13dadf568c41b319ed0067745b86ac51817ff5e497bea536e29a83703c368628206c7106dc
-
Filesize
6KB
MD55462d2f748325b59020bca3d9e052833
SHA108ff4a6d58a4b7afd8ad9faa46c4930b44035bd7
SHA256701e66b36c0d94809babf678482e5629516d2e1858748b329f80511ce1c6c992
SHA512594c47a8119c3b0c8ee4aac5fae8b73f8e99df930c69f2bd1d9a7ecac94e2b5862bbeb2f1a72370470bd05d7f69012ef18c1e6bc75fe4c5696cdf0595dfc7493
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD58a2f0994bc69b8b91ac5a78c05a7bee4
SHA1fd4f1e574613ec414dc27d126c7978d22910aa7d
SHA256efa85db646df498b7c3b12c3edaced60cdaea467388ff31cb96036fda36b3bf6
SHA51259139a9c0ed2c6063c7e5ce6fa48416f4b09c70e4af711626e044929370bbd797d52d7c83eaa9834b2bf5e0703295dc1b23e97af8a8108a9ac8addeba67ad3a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579683.TMP
Filesize48B
MD5de481077654e38941182bc63ad6a4b0d
SHA10308806b328404b025cad67a471fb9d57cb9e500
SHA256a997a989fa48d54c937d187b4d1b08451bd28dfe7ac231d2a359bf8afb3da6b7
SHA512a2c2dde07e6d6fcdc351dc28ec2a2a613d87eff62856e903ce31b9ff0682272083c9c9523acb4131c713652d4b2a5630b7df553bdbb1cf4a69ba6f58d58b82dd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5072cbb1ed863086d5e15b76a9670dd21
SHA16229751e51eb1ccca237bb7ea1ffb28fb72c45ba
SHA256f7d953efd09fca9ad8171c27adade0daace62009953c6b9e33c2602ff16e0345
SHA512adceccc94385bf20d78c5b63dadfb97b8e68ec91264c6b49bb3692ce79016bbd0e672e26f227f1a46097e0137c028d35745632e7bfc522f83148db5e7735fff5
-
Filesize
11KB
MD5ebf273047e9e9388855532b7179d6f81
SHA102feec6d0cd7aefbc19449ba9f3998a0cd47f258
SHA256bfacf8fc01f610459b751f91c3c1dce06cb4d01757e560bc2fcbf43030b7a0c7
SHA5128750129facd8753e5286815e67e0144c71839f7149147d9dd8a1952c11229f25544bb39eae352e928f465c384f4ec96fdd8f0ac5fa5c0b1a6e8de3b763e1cae4
-
Filesize
992KB
MD5b4f718dcef4b4850304871ffff767c11
SHA1c370d1bcb4e9af3d32d48afd6d634ab845d93313
SHA256706a2ae6b23d1a202b444eab5fe15dfea56e42bfc227b8e46f7ade3008fd9f95
SHA5121f6cd3131d55cce7721e9609aa77d8e63936a010499b4a06e78cf30ea46e6d21bf9e13f8ee32b9af6c6a246aa48a914dc2a2ba2c1769adc75487ea64c57352ee
-
Filesize
992KB
MD5a46b350960d6603075fe46eb343f4a01
SHA161b781d6b47dec63c696f2a014cd3f0ca267a545
SHA256830aa6ac074b9a8a1bd5e77223aacc28e445fbcf8bc781b39dbc2049ee721b80
SHA512422635a93afde57a9128cbd72b6959d68800eedaef13b5371061d6724d3f5cf5e9909b413b5356aa38ab94c56f4582d6289e4662b99ee8b2ef88e36893277486
-
Filesize
768KB
MD51ec2e96f2dbbdc0364edd8c2702e33c3
SHA1f305e514632c9a824b2aedac1e9de66c53262284
SHA256073555e76823112efe9fca2b5bf258c3c26f51b915e7f4e98d7e62d6501ab0fb
SHA51270de026eb38ab23cab2f71eb8563e9f8bd207850b355cd569970cee246c2d979d17e1b7b0ec40c1de2b9c11937da8886b5bee13ad7ee5ccc1c30b75d6a213a33
-
Filesize
833KB
MD5698ec22e42948033d62ad46e57ca02f5
SHA11a1618ab4fa6935ab8e067738d675bfd972910f0
SHA2561359a175fd807f21e82502786a1410ae96d793c4664cd42ef4eab06bfc2261f3
SHA512226a8f22ca6eed9d57007c839e740b29045bffac13ebf99a9e2510de3167e93706aecce0a1593cc802a90005c8c5613a257bfcf276d4c28590220503a6f10e3a
-
Filesize
704KB
MD5c8f5c6112bd77c6c0a7a622f2710e303
SHA1ffdc87b6db30c3068bd753e9f17f4f2a4e28f5f9
SHA256aad17b5045ece51fe56b77e67b1e3829dfba0d799a1d550f9e82132956874cff
SHA5120581bb155d08e4836889cab5c972b4581f3565582a346c5611cabdfa17e2b3975783edb57727314bce83e864277bfb70488c30b538aa15aa99a7bb59aef1fe57
-
Filesize
2.1MB
MD5662b45cf59080e5c21fdeca1db3d1d24
SHA15c101b7e6f37c9e99500ad23cc26a84729d8bcb1
SHA25687751896a1354df4cc8cc7b7d34b474090750e39f055bf50da1e5d2677675b5b
SHA512718c62bf98deaa4f77860cc59c2c69d30a70c3c4dd3097e89e22eaecd3dfb5571cfce9c7d7998060dddcb6599f72dbabc0b54a737756bc66c0ae051954687121
-
Filesize
63KB
MD5ae224c5e196ff381836c9e95deebb7d5
SHA1910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
SHA512f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c
-
Filesize
1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
Filesize
24KB
MD5b0a421b1534f3194132ec091780472d8
SHA1699b1edc2cb19a48999a52a62a57ffc0f48f1a78
SHA2562d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b
SHA512ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98
-
Filesize
281KB
MD524a7a712160abc3f23f7410b18de85b8
SHA1a01c3e116b6496c9feaa2951f6f6633bb403c3a1
SHA25678dd76027e10c17824978db821777fcaa58d7cd5d5eb9d80d6ee817e26b18ab8
SHA512d1f14a7bd44e1fc9bfc61f0b751ee6e0677322807ce5621206eeef898bab6c71ef1464962b20dc50f706084e53281a0d4b6d9142c6c1170a1e0a5fe4b12171df
-
Filesize
31KB
MD578cf6611f6928a64b03a57fe218c3cd4
SHA1c3f167e719aa944af2e80941ac629d39cec22308
SHA256dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698
SHA5125caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c
-
Filesize
1.1MB
MD5862dfc9bf209a46d6f4874614a6631cc
SHA143216aae64df217cba009145b6f9ad5b97fe927a
SHA25684538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b
SHA512b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8
-
Filesize
87KB
MD5d1a21e38593fddba8e51ed6bf7acf404
SHA1759f16325f0920933ac977909b7fe261e0e129e6
SHA2566a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e
SHA5123f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e
-
Filesize
763KB
MD5f2a011e63ae67d678b34d5b53c8f1018
SHA1ae4b3b321f0cfce1e4a4a061412be9d85a53dc09
SHA256b3cc80230b08770bdfed917366765914e47f4de62ce4a9425f987b8d22bbd406
SHA5125af58fce7839fdb4c8b1b37fc0d00bfd6a688a2fcc5cf10a00b2bf5880f6313656758c553ecfdc2b00a06e7d30e6f362063a57c14969e7dfeb530b3efb08fc1c
-
Filesize
617KB
MD5abda498c196eb63a6545437d92081dff
SHA1ec040ef5583d3799d80f8d42ac7e72ca23c0b19c
SHA256b7bce419fc20f73f07c41441b272d191323b9387afbe4b79a1d8030083eed01b
SHA5127bb40775f37d4bc4de6d451d347501ee8657655afd608f827f1b90e6cc276564c29e6c862345df4706a9ea40f418d2f0869d230adebacd08e613782121063790
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e