redline | 4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f

Analysis

max time kernel
90s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/04/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

External v_4.26.exe
Size

279KB
MD5

1b3a071cd0ad94839874a3471e89b8aa
SHA1

ce82ce87e39705d8b05055fbdfacafa675f9b4db
SHA256

4ec76eb7a26ba0b31255b177ff476b0dc2d7cba06dd015eac838cb0e585d1b7f
SHA512

796eda6dece8257d115a98a7ca5c33e39078e8f7275fe17f42d5b73e4d826889a09ae2e2e8f6987630b66d26b2da88f5eabee4a2bb330cf947638590f7169b00
SSDEEP

6144:K/PT2fQDz89hqi1l+t7aelEgNOXG9imxUg:cLCQU9hqi+lEgNoe9x

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3036-4-0x0000000000400000-0x000000000044A000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3036-4-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 3036	1720	External v_4.26.exe	80

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "102"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{AA63833B-E840-4865-88DA-1A76AAE88C47}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2896	vlc.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3036	RegAsm.exe
5200	msedge.exe
5200	msedge.exe
5452	msedge.exe
5452	msedge.exe
6100	msedge.exe
6100	msedge.exe
4052	identity_helper.exe
4052	identity_helper.exe
4284	msedge.exe
4284	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	RegAsm.exe
Token: SeDebugPrivilege	2704	firefox.exe
Token: SeDebugPrivilege	2704	firefox.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2704	firefox.exe
2704	firefox.exe
2704	firefox.exe
2704	firefox.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
2704	firefox.exe
2704	firefox.exe
2704	firefox.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
2896	vlc.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2704	firefox.exe
2896	vlc.exe
7628	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 560	1720	External v_4.26.exe	79
PID 1720 wrote to memory of 560	1720	External v_4.26.exe	79
PID 1720 wrote to memory of 560	1720	External v_4.26.exe	79
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 1720 wrote to memory of 3036	1720	External v_4.26.exe	80
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 4272 wrote to memory of 2704	4272	firefox.exe	87
PID 2704 wrote to memory of 2544	2704	firefox.exe	88
PID 2704 wrote to memory of 2544	2704	firefox.exe	88
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89
PID 2704 wrote to memory of 868	2704	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe
"C:\Users\Admin\AppData\Local\Temp\External v_4.26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.0.52216821\1953301206" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c556556d-085e-4249-8e3a-d4cde8bac5c8} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 1852 29e5dad1d58 gpu
    3⤵
    PID:2544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.1.2030522006\1650302565" -parentBuildID 20221007134813 -prefsHandle 2220 -prefMapHandle 2208 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dcd1cf8-9773-44e3-9687-701545934e23} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2232 29e51b72258 socket
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.2.1318999587\164748168" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2960 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dabdb96-a51b-40cc-ab6a-a2670f91c74b} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2936 29e5da60058 tab
    3⤵
    PID:2768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.3.593547350\374448120" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb0bc3d-bf03-4d8a-a0b6-4b51a1d3f881} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 3456 29e51b67b58 tab
    3⤵
    PID:2784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.4.965185163\1956784600" -childID 3 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e09068f4-0aa2-41fa-91fd-df4e035948f5} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 4532 29e64adec58 tab
    3⤵
    PID:800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.5.940593933\36131366" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 4968 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ba6addc-ab78-450f-aee2-a2da5dbaffda} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 5084 29e6172d358 tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.6.649374593\767288186" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ec9e722-8347-40cc-9675-add79a00ab59} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 5208 29e6172e558 tab
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.7.1774517090\462989797" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def3cdaf-ce6c-4915-b62a-e1c5a8a265fe} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 5408 29e6172d958 tab
    3⤵
    PID:772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SplitMerge.m4a"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7bca3cb8,0x7ffc7bca3cc8,0x7ffc7bca3cd8
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:6208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:6284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:6788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:6796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18264438823410587425,8545226882004694112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:6672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3aea69174f5f8a6b05462a585e3451b2

SHA1
5f8732c795a60eccafa7da3d6dd83dff88088ff0

SHA256
74a1dd3f3719ebb3e4b005bac4b65e149ae4014356df3c9c42a3cb34f5725019

SHA512
a1cdb73fd636995e60a7eecdba590b0aa91888cb5e8e9bed32ab086fa8dbc4ffdb94312c1e49260bce47dfbdfa5d20d130715c02f14fd8c6d04ad4657e6cd501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
7b60155d4dabdd0a3dd6cd49367cc5d4

SHA1
328c59cf3d257bace2fb698814a1b3207c6a317d

SHA256
1ab3d8f25dc696420b312d5be57cca9aed4e95a8d72ce6ea6f98be67a45024c4

SHA512
3f0dffd5b3a1c2ea46017ec38e5e23483db017feb4bc35a8c832ed15b7892feb2d702a971e4ebdd5509fe860e77907105310e74703084eac1fdb5a5d70cdba93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34b16f730c25c5fa8a88a844c31ada03

SHA1
5d36029c704fd1936cb025e54a3dbbee3daff8eb

SHA256
8d22476cc374b3ca4c98386b84f2afff82eb2dc8f22d4f1934d9b174d332cf82

SHA512
d0b38d8f576b3d60f69e9c086df71f2b7b51b5d7a426725f75983871b81732e84efee02aac060d89084cd9426d3e91f686bd374d9a35d07ac867264bf0015b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2587e9809415b60262319149f18efcab

SHA1
d9db8b1326f0068fae34881514c0dda87ccf4374

SHA256
22b811fca1b6d0d02e04f155807801fd57b7f3c566a693ce616de36079d011ff

SHA512
7a5f086f3f75ae42eb09941859942c0055316096f5ec7efff221114d5d00399b7686da6de7a47745c38784d77e1fd34b8144d32d2322c71f24b21043185ff609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c730885ce690cd1c5c88ae50edf146b

SHA1
6d4c370cb6930ecaec83e1d3377d128475bd1b95

SHA256
72165deac0b29edfd57594496d7869a2b7d740faea8b6f790757f6bbc05c59a6

SHA512
3bcd95d08b0c45f7181a08043d75dbd52d68d0a0eec7c2a6eb146ae8dabd5e76ad318061d5233434d85d0e7bc39054c7ac22b97ce83708c4b7bd5e4900934db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2e59ca800ec15b37f6d952cf996dcd27

SHA1
3c7c15611276e71179cdd24a7fecc787b6f48eeb

SHA256
d3636c22620f9e03623c8ed66a9ea7af6302c2db0d8fce7e4a012d1ef0f710eb

SHA512
94edfd8173c3e5b4a7308d91ee38a7187d21ebdf120255a9aca2f9ff039309016466469ef0d136be5dea5cfb7d890144a3eed39edaafeb51e216f47a90fb0064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ceee2c8d61afccc3a819da7f03114d6f

SHA1
698a2596bbd0682ea19db229f8573ef99cef9ffd

SHA256
2ff0580f41e7a765ebbf4d8dbb8eda684f28f9e7a4d160637b75bb3b24866a6c

SHA512
4980b3c6e88200c740284cc9580fee3b3ab1dd6e3e28cf83f7d1fef7d114de6cc0e8f8de53f952e6890e964a1026b215bcf81a7ab65903ee42b19dc796417cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ab3f.TMP

Filesize
2KB

MD5
01f1d0a9c0f33313816a9ce5587914a0

SHA1
6f2ab847818704e43c7aa00f2753d7237cef469b

SHA256
eb58ab665115f2911e344dbaf8987a1fcedb1549932e7ddcda242fd1f9fd2edd

SHA512
cf335f728c106f23cec7542416eb181cfa97e7be041610debe1a8919b23bb862528b904da797632f9912c439653eaea9086848486a3b4fa50fe3ae1bf048df77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5db4d0d7e04931335d03f7c66ec7f3ce

SHA1
bbe124617d9714061d6e357042306cf21989a9ab

SHA256
6531864bea23831824dcac934ca9ed8370ba3d34939a668f196a7ee3324a7b3c

SHA512
688bd547f415beb143752083cc0dd13949f1d3b46e943a294cc622b21dffc3bd4d00d8043361b91bc5663d8d3ad41b1a85fede20fbbd41169a227ccbde501ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c45edf4e87f8d789028d777b0ec6fcfd

SHA1
b42820905e1d824edc43922bb7f4062506b87a2d

SHA256
6a90e34cca0be66e4c0817109bcb75a5acf4a13019e1cf66fef9fc7f11a65b3a

SHA512
03c159b2c64f7fdebee7c998a047f065528f4ecd662992789fba85e6c652eaf0f1d139af903618a69ef438a98312d73a5625801c155bf19a5372cdf3f2831d77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
23756f50d218e28f219cc9d24f236ff4

SHA1
12fe2c6c8be017abecb6df11d452cf03adf54145

SHA256
71a37dcd8ccb8a4003eb4240f4dd8345a42f014440af39f67f711c6651a549e9

SHA512
08bc3cde2ea74d11919d8030db94d55c9ba4962ab90b13982bb78531352500eddd6f20e384193ba7277225d396a3079a4f993cf0b3c81d51e4d27eca21136b18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\530ea18f-2fe3-4e1d-a42b-9e4a6d9d812a

Filesize
746B

MD5
6d9e23fab74656572ad09c438dc99f39

SHA1
f3b3eaa7f178b74f6fcdd0678a881d899f048265

SHA256
e35fc3f382a98dda86a051b6e865212b5f8b25f21164996d1cc0366ac95e4868

SHA512
8ff38ee722516e799d4d6bf3862dfd00f0c5c63eb605fda2b3e0f72b20a96714d665252c3424ac29650758a7b6d1fdae93ae4522a1a4e4fd8b48c40696d11bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\8107f121-658e-4de4-962c-2e9be5e5d5a6

Filesize
12KB

MD5
72108aee4c899aa7004105fb91142829

SHA1
9861caa06327c98e8d20c363b38e6a40bd53dc50

SHA256
6b022f1c9628a7fe899c21961f52bcc4341ffc09fe84520345b94c200a5285b6

SHA512
3dcc3c7f3d5ae21c857a4a87917d097bf990c1b69a051e7a7dc0c54bf8df3b7c2696c3a1403b5f3bda52916180a3da536a2d43281b794e298a287f8910ad6a84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

Filesize
6KB

MD5
59803691289c977fbb6201054d28d8c2

SHA1
54251212b469ca51a6b2208221676412a07f8d82

SHA256
c7b7efa2ab1b82cf498fe03e1d5c2123fe5357e9e54cad52488c1d7d9d4e533a

SHA512
c9348f50562d2c57edd505ee86b1ca9ddb10d772c33fedde87e2640983af10b41154f9b9f564df6b6f933738babca785d19ea967b0978637f6865f8550fd8d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js

Filesize
6KB

MD5
9d2d57d62beb8ff685842cbb1a8265a5

SHA1
29f2ecba59c0ef4e3c2b9e7a17bf369da20d2ecb

SHA256
318af1fc9ae9ff9c6784ed94b311a7dece127e234675461430a3c004345d5b7a

SHA512
cb3bce067198593abe39405b24869720c226a8f456d5a8fda3b3d866b533dea59948aabefb545e1741171cc9a0767333b5ec07b8e22084ba4f680b2382ce91af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
16b3fb452e3bbff6428af82c0a376a08

SHA1
fe58dce6a45c34074a7fcb6b65cfdd16848c757a

SHA256
efb2fe18f5f7b01c6d63d5be62cbde26da79118bb240aa01cee0a7127577a462

SHA512
1aac9593f7c96490595f3f2a376645185a43f39854d147b6323dcfd4bd47d7fffc449a674a83f903f9a85c538c6c5c644c6ad42e143684e33fd165183f1d2b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4

Filesize
856B

MD5
e326e9806c3234a7082ccf43bda25204

SHA1
82ca546283902d7cba91ee63e78136ac5d18f165

SHA256
1c81d12c22dd9e0fd9012b41d69f874a2ce5b01d3969ed4b43c47af99cd7d41e

SHA512
e1c2fd6078c4c81ebc5ffeb382aeb7381f7eb1f575e89e0d685dd864ae757e042e4680a4b981e99b7623ea82eeac5c5a079fe839cea78c34c64fe56fa126ba1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
a6e2c0d6b59075fff94c66f804c74cbd

SHA1
56a81d3bc20afb57fcc4eb43f6862b4ee9a0ccaa

SHA256
4488d7e333fb1e3b4f981576f37b5fbd3fc32b88d465bf2356dbf5ee3d008641

SHA512
54594421b00052ae2fb0b4adadcd9ec8a89be1c56ee623f21f7793e6c648084073b548e18b11f38d17fd15efd2ed291fa94ae5413a261ea056173d4b243a4fbf

Download Submit
memory/1720-0-0x0000000000250000-0x000000000029C000-memory.dmp

Filesize
304KB

Download
memory/1720-7-0x0000000074D20000-0x00000000754D1000-memory.dmp

Filesize
7.7MB

Download
memory/1720-91-0x00000000028E0000-0x00000000048E0000-memory.dmp

Filesize
32.0MB

Download
memory/1720-1-0x0000000074D20000-0x00000000754D1000-memory.dmp

Filesize
7.7MB

Download
memory/1720-10-0x00000000028E0000-0x00000000048E0000-memory.dmp

Filesize
32.0MB

Download
memory/2896-121-0x00007FFC69100000-0x00007FFC69134000-memory.dmp

Filesize
208KB

Download
memory/2896-124-0x00007FFC66730000-0x00007FFC66842000-memory.dmp

Filesize
1.1MB

Download
memory/2896-123-0x000001BB4D8B0000-0x000001BB4E95B000-memory.dmp

Filesize
16.7MB

Download
memory/2896-120-0x00007FF78F2A0000-0x00007FF78F398000-memory.dmp

Filesize
992KB

Download
memory/2896-122-0x00007FFC68E40000-0x00007FFC690F4000-memory.dmp

Filesize
2.7MB

Download
memory/3036-13-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/3036-19-0x00000000067E0000-0x0000000006846000-memory.dmp

Filesize
408KB

Download
memory/3036-16-0x0000000006480000-0x0000000006492000-memory.dmp

Filesize
72KB

Download
memory/3036-23-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/3036-15-0x0000000006550000-0x000000000665A000-memory.dmp

Filesize
1.0MB

Download
memory/3036-14-0x0000000006A10000-0x0000000007028000-memory.dmp

Filesize
6.1MB

Download
memory/3036-18-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/3036-12-0x0000000074D20000-0x00000000754D1000-memory.dmp

Filesize
7.7MB

Download
memory/3036-11-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3036-17-0x00000000064E0000-0x000000000651C000-memory.dmp

Filesize
240KB

Download
memory/3036-9-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/3036-8-0x00000000058F0000-0x0000000005E96000-memory.dmp

Filesize
5.6MB

Download
memory/3036-20-0x0000000007130000-0x00000000071A6000-memory.dmp

Filesize
472KB

Download
memory/3036-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3036-21-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/3036-22-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/3036-25-0x0000000074D20000-0x00000000754D1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads