Analysis
-
max time kernel
75s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 00:17
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral1/memory/5748-132-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 behavioral1/memory/5676-135-0x00000000004C0000-0x0000000000535953-memory.dmp family_zgrat_v1 behavioral1/memory/5160-158-0x0000000000AA0000-0x0000000000B15953-memory.dmp family_zgrat_v1 behavioral1/memory/1620-162-0x0000000000D00000-0x0000000000D75953-memory.dmp family_zgrat_v1 behavioral1/memory/5252-164-0x0000000000940000-0x00000000009B5953-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/5748-132-0x0000000000400000-0x000000000044A000-memory.dmp family_redline behavioral1/memory/5676-135-0x00000000004C0000-0x0000000000535953-memory.dmp family_redline behavioral1/memory/5160-158-0x0000000000AA0000-0x0000000000B15953-memory.dmp family_redline behavioral1/memory/1620-162-0x0000000000D00000-0x0000000000D75953-memory.dmp family_redline behavioral1/memory/5252-164-0x0000000000940000-0x00000000009B5953-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5676 set thread context of 5748 5676 Insomnia.exe 129 PID 5160 set thread context of 3796 5160 Insomnia.exe 134 PID 1620 set thread context of 2916 1620 Insomnia.exe 138 PID 5252 set thread context of 5148 5252 Insomnia.exe 145 -
Program crash 4 IoCs
pid pid_target Process procid_target 5836 5676 WerFault.exe 127 5076 5160 WerFault.exe 133 448 1620 WerFault.exe 137 5632 5252 WerFault.exe 144 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2312 msedge.exe 2312 msedge.exe 2100 msedge.exe 2100 msedge.exe 3216 identity_helper.exe 3216 identity_helper.exe 4136 msedge.exe 4136 msedge.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 3796 RegAsm.exe 2916 RegAsm.exe 2916 RegAsm.exe 5148 RegAsm.exe 5148 RegAsm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5748 RegAsm.exe Token: SeDebugPrivilege 3796 RegAsm.exe Token: SeDebugPrivilege 2916 RegAsm.exe Token: SeDebugPrivilege 5148 RegAsm.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1760 2100 msedge.exe 84 PID 2100 wrote to memory of 1760 2100 msedge.exe 84 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 656 2100 msedge.exe 85 PID 2100 wrote to memory of 2312 2100 msedge.exe 86 PID 2100 wrote to memory of 2312 2100 msedge.exe 86 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87 PID 2100 wrote to memory of 3660 2100 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://insomniahack.fun1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed99846f8,0x7ffed9984708,0x7ffed99847182⤵PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:82⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,10365225932655077098,11418327558633360020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 3002⤵
- Program crash
PID:5836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5676 -ip 56761⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 2762⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5160 -ip 51601⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:1620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2882⤵
- Program crash
PID:448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1620 -ip 16201⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Insomnia.zip\Insomnia.exe"1⤵
- Suspicious use of SetThreadContext
PID:5252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 2882⤵
- Program crash
PID:5632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5252 -ip 52521⤵PID:5152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD560ad21e008a8447fc1130a9c9c155148
SHA15dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA51242a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6
-
Filesize
152B
MD54e96ed67859d0bafd47d805a71041f49
SHA17806c54ae29a6c8d01dcbc78e5525ddde321b16b
SHA256bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d
SHA512432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7
-
Filesize
152B
MD51cbd0e9a14155b7f5d4f542d09a83153
SHA127a442a921921d69743a8e4b76ff0b66016c4b76
SHA256243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c
SHA51217e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5cea308e4731162bb3663d3c78e32d7ee
SHA1a1b0c681700f3755a05a23f0ba248b63840f5a46
SHA256f52438166d508df6ddf6fa59542297fff06c955d6ab2e0f7511602fa6e97379c
SHA51299a47e8b108ac2291fde22db6cb7606eff560185b4e1de7f5016581d9420eb3b1030552994845e891daab6cf4d7462f79c5af520308355196cb66e32d4f8eef8
-
Filesize
20KB
MD58f590a6b36b52a0b9eb085eaa398b6a3
SHA10aee15ad032b5976000d6c4fd275e2ceeff87b5b
SHA256bdfec53d5ba68dd047129296f6d835f9e49ff3cfc38a84578ea6bb94fcf56487
SHA512b1abf032b243fe7fcb2c2c0176546072b70744355516ea5337fc0b30e52fa8c4712ac397f415ca3329873ec033119ddba4d61eb9cc45a2e7b9625aa926bece32
-
Filesize
5KB
MD5246068ca14cc51c2a4ceac4709245687
SHA18f0b78664eadde0cc032e56ee98e9651eb471d30
SHA256fec22b7a22681d907b7dbc640a555cfc80bd0fad919e3aec16550032f4474176
SHA5120a77ff8d7ab0aa75596d6a530d34237d2f184936a0e28ebd329f8a676e50159c4363b4edd05d4ec457b5db70e91a465e944521c6288298a9cea1f5d5ce3a3177
-
Filesize
6KB
MD5d149648fe09469e72d1dc480a5cf3888
SHA1b44728fedc77977a348ab2f0fe95657db3e1d99f
SHA2563cb32de30e26e3089dcd49b51346b3b9cc8b1a1ada2597360573b18b17c41337
SHA51219d283b10736f21124c0568a35bf1c52b9780077a0acc4374059987c7a1e7e5f281c46d0806f1ffad463c426f504d6fdd489c54fcffcfa5f30e24fbcf02d09d0
-
Filesize
6KB
MD508ae79b739b8c55b439ba7897ca9362b
SHA11abe8af47f077a3615b242d6b9c64cd49387a991
SHA2561759dee5eaa6b86e5088773ce949a8443c9b1c84020480fc6ba8a2f6633e3d6b
SHA51200bdea1886bc35497729645804455e2db8054a1624034fd3139a097f69635671c4bd1b44003ec0e2a1353ae0eaf316bbd7c1d5f1fa2ada964215e0e698994e17
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55d9b80354d6c3b0598e380a48f0f21af
SHA1c6f5c2c92c5c67e228b3799639d77b39e7e0ce89
SHA256bfcd2625dc27820663943ad08c97845b447cf35f1e7f25f7dccdc4f52293cd9b
SHA51287d2727910ee645bb0b48b6b66a8ecef8d5f35945d0ed5eba3b0af4ed5a742837922d27b3e0b689e6d0f70ec0e9953eed3612eb858fc2f77e588e07de0e3afc9
-
Filesize
11KB
MD5ee60090b4af27a55c63a247708e70d2b
SHA1dfa406c369f03a2dc933e3cb3d1792985bb42191
SHA2562bf449a4e9273be8ed3b62dbf389a0f991d96bbfde028b5db8f616a51bafcf73
SHA512cedfd4e90767bff42f6a5989fdb7bde7703ed5eb8c3a5a587f413607a29f811bdabe6b0c837bcf57f9fe883661a5e1766c1621c575cc152166e8d616f23f8aa8
-
Filesize
11KB
MD51dd7c3cac70860a41089d942124b5ad3
SHA10443a85e961412c777ea3b243bebefdb0868a34f
SHA2566f0c72058159a780d79cd553c49d23d76ce273ef181982a7b71b810e8e0d9a03
SHA512f3ddecc6a458e34ef3ededc890c19ecd6b141cf2bbd7104be74b9120215a5120846c529c02272337051bd176e897496e89f902559bb5c728cd3416c805de2b6a
-
Filesize
466KB
MD51ece26c1f3ac07d35536357cdb8ee39e
SHA111bd94ce5079c469314b18196c15aafb55adc9b4
SHA256acc87399a37981dc98b1029979b0a7ae8bd3f2e5136ac60d7f14003026b40334
SHA5127c8e4f3dfce7d414d82909e7a5be1e153a0c767a583a5e9c30cc3b109e1a3c32142862173a898054574f1daf453da5de41eed9ca4b8d0e2aae6d34d8e8917dc8