Overview
overview
10Static
static
30697314d1d...a5.exe
windows10-2004-x64
100f998493b8...79.exe
windows10-2004-x64
1021e1937094...38.exe
windows10-2004-x64
102800d64eb3...31.exe
windows10-2004-x64
10299e46ee08...d5.exe
windows10-2004-x64
103d64fae31a...d7.exe
windows10-2004-x64
10652a4e2d36...35.exe
windows10-2004-x64
106b4d258a8d...1a.exe
windows10-2004-x64
1074c99e0dfd...42.exe
windows10-2004-x64
107e6bab9491...d0.exe
windows10-2004-x64
1080af2b3540...7e.exe
windows10-2004-x64
10a96b277202...ca.exe
windows10-2004-x64
10b618a9cedf...7f.exe
windows10-2004-x64
10c1237a6a46...5b.exe
windows10-2004-x64
10d7fde0f5ef...97.exe
windows10-2004-x64
10da85318c86...60.exe
windows10-2004-x64
10dc220ed080...4e.exe
windows10-2004-x64
10e5e7bb0a7c...4a.exe
windows10-2004-x64
10e91c8d8104...e0.exe
windows10-2004-x64
10f3b6442113...3b.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3d64fae31acb5d4e6e0319606608e94d2b3a017279c295dba43ce4d28aab53d7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
652a4e2d36de8360e61d407c228b3eb8948cafa60881c208bbd568afd7222f35.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6b4d258a8d8ba67789ff7894ed84c9e89d61a4f8f9d156a7c732ddf5e5f4511a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
74c99e0dfdc0750268c34c3d63288e0bea52796a82c9b157a495fbe2608d4942.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
a96b2772021c2a9c228f53c7583855c51eac18dbb16e1dc62969e62c6aa9ceca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
c1237a6a46458518390f044aae909d7b4e395ae64c6bb1db16e0cbe581f8d65b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
d7fde0f5efb7f555528ff1c98946e36088ec7396d07c4fd0a577c6b49c4bcd97.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f3b64421133b7924d58e6aecea4508423a6b611f1b55b129f7ac031c0458b73b.exe
Resource
win10v2004-20240426-en
General
-
Target
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe
-
Size
1.3MB
-
MD5
ba596649dd39015b9ebb20e53e576673
-
SHA1
1f6bb78f5decfae319019346d7a2c5c2d5be2cd4
-
SHA256
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0
-
SHA512
4544fd2669ff8d9632241040946868026712ddc7faf1a0db708ccf8f0c7edcb92a6c6ec9167b59421014158b0f27353b6afc4026d3a2748bb7fa3252e2747f57
-
SSDEEP
24576:gyfJAGy3eES79rsujbjYlvUJG76Sh44Q+x6/7XOHG+nnsQPGKkUw:nfJBbES79rjYbth44xsKxJPGKk
Malware Config
Extracted
redline
breha
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Je6892.exe mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral19/memory/2452-43-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral19/memory/4044-28-0x0000000004A20000-0x0000000004A40000-memory.dmp net_reactor behavioral19/memory/4044-30-0x0000000004AD0000-0x0000000004AEE000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5QR4sy2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 5QR4sy2.exe -
Executes dropped EXE 8 IoCs
Processes:
EE2Ip30.exeuu9aR70.exeat1Tc45.exe1Tr42EG0.exe2Je6892.exe3gW94Vu.exe4aZ207Wr.exe5QR4sy2.exepid process 4588 EE2Ip30.exe 5036 uu9aR70.exe 4844 at1Tc45.exe 4044 1Tr42EG0.exe 1968 2Je6892.exe 2148 3gW94Vu.exe 1412 4aZ207Wr.exe 648 5QR4sy2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
at1Tc45.exee91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exeEE2Ip30.exeuu9aR70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" at1Tc45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" EE2Ip30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" uu9aR70.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3gW94Vu.exe4aZ207Wr.exedescription pid process target process PID 2148 set thread context of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 1412 set thread context of 2452 1412 4aZ207Wr.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4576 msedge.exe 4576 msedge.exe 2828 msedge.exe 2828 msedge.exe 868 msedge.exe 868 msedge.exe 6032 identity_helper.exe 6032 identity_helper.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1Tr42EG0.exedescription pid process Token: SeDebugPrivilege 4044 1Tr42EG0.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exeEE2Ip30.exeuu9aR70.exeat1Tc45.exe3gW94Vu.exe4aZ207Wr.exe5QR4sy2.execmd.exemsedge.exemsedge.exedescription pid process target process PID 624 wrote to memory of 4588 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe EE2Ip30.exe PID 624 wrote to memory of 4588 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe EE2Ip30.exe PID 624 wrote to memory of 4588 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe EE2Ip30.exe PID 4588 wrote to memory of 5036 4588 EE2Ip30.exe uu9aR70.exe PID 4588 wrote to memory of 5036 4588 EE2Ip30.exe uu9aR70.exe PID 4588 wrote to memory of 5036 4588 EE2Ip30.exe uu9aR70.exe PID 5036 wrote to memory of 4844 5036 uu9aR70.exe at1Tc45.exe PID 5036 wrote to memory of 4844 5036 uu9aR70.exe at1Tc45.exe PID 5036 wrote to memory of 4844 5036 uu9aR70.exe at1Tc45.exe PID 4844 wrote to memory of 4044 4844 at1Tc45.exe 1Tr42EG0.exe PID 4844 wrote to memory of 4044 4844 at1Tc45.exe 1Tr42EG0.exe PID 4844 wrote to memory of 4044 4844 at1Tc45.exe 1Tr42EG0.exe PID 4844 wrote to memory of 1968 4844 at1Tc45.exe 2Je6892.exe PID 4844 wrote to memory of 1968 4844 at1Tc45.exe 2Je6892.exe PID 4844 wrote to memory of 1968 4844 at1Tc45.exe 2Je6892.exe PID 5036 wrote to memory of 2148 5036 uu9aR70.exe 3gW94Vu.exe PID 5036 wrote to memory of 2148 5036 uu9aR70.exe 3gW94Vu.exe PID 5036 wrote to memory of 2148 5036 uu9aR70.exe 3gW94Vu.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 2148 wrote to memory of 4028 2148 3gW94Vu.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 EE2Ip30.exe 4aZ207Wr.exe PID 4588 wrote to memory of 1412 4588 EE2Ip30.exe 4aZ207Wr.exe PID 4588 wrote to memory of 1412 4588 EE2Ip30.exe 4aZ207Wr.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 1412 wrote to memory of 2452 1412 4aZ207Wr.exe AppLaunch.exe PID 624 wrote to memory of 648 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe 5QR4sy2.exe PID 624 wrote to memory of 648 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe 5QR4sy2.exe PID 624 wrote to memory of 648 624 e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe 5QR4sy2.exe PID 648 wrote to memory of 3848 648 5QR4sy2.exe cmd.exe PID 648 wrote to memory of 3848 648 5QR4sy2.exe cmd.exe PID 3848 wrote to memory of 2828 3848 cmd.exe msedge.exe PID 3848 wrote to memory of 2828 3848 cmd.exe msedge.exe PID 2828 wrote to memory of 5108 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 5108 2828 msedge.exe msedge.exe PID 3848 wrote to memory of 4832 3848 cmd.exe msedge.exe PID 3848 wrote to memory of 4832 3848 cmd.exe msedge.exe PID 4832 wrote to memory of 5084 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 5084 4832 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe PID 2828 wrote to memory of 1712 2828 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe"C:\Users\Admin\AppData\Local\Temp\e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EE2Ip30.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EE2Ip30.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uu9aR70.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uu9aR70.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\at1Tc45.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\at1Tc45.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Tr42EG0.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Tr42EG0.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Je6892.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Je6892.exe5⤵
- Executes dropped EXE
PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gW94Vu.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gW94Vu.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
PID:4028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aZ207Wr.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4aZ207Wr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QR4sy2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QR4sy2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6726.tmp\6727.tmp\6728.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QR4sy2.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9738746f8,0x7ff973874708,0x7ff9738747185⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:85⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:15⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:85⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:15⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:15⤵PID:6048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:15⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:15⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9037968371126234918,17852420875447381288,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5740 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9738746f8,0x7ff973874708,0x7ff9738747185⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7875575537865861890,14313067281319028688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7875575537865861890,14313067281319028688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:868
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4008
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
1KB
MD514849a936b7c44296f9cc2fc5fb517d2
SHA140208ab77713533ea75304a5db0a0c597004f034
SHA25698c98194c44f65de71ab1886e4952dbedc0092af3955446891ce3f41785cab21
SHA5125e491637023b05e43c4f186209b29a68582168650c321ff43ce29df02b6bd150d7c5f1e21d1f436538a06266ab955e45c44ae051d99d5aa060ece3f94ad3761a
-
Filesize
1KB
MD5e2b417bd09148d6ae2849bd29919ebcc
SHA1ecf04e5c3fd1f3819c90a999a459c00db6d9fea9
SHA2563dff8872e8e110f890b4967b48fd1dbd3d817a2036b59fb01c6b235a71d412ce
SHA512019a76d168984d1a636086bdd47051e457deb032fda62406d3e477d25475633e4383a0538b5cef0d234e53107ebe0d3ff395e1c2f78e8414655686132c21ff4f
-
Filesize
1KB
MD5cf39b511bdb71343a85fec0793ad74b4
SHA177c231465b0a691d06ab71bb1d703de0ce668853
SHA2563ffb0890b6b150c46096024c3bef991aae7c78441369c4cb1004e29108851d0a
SHA512df56fa43a9db94bd946e123d6f29252d5b58846c7f13b50ff37632885f74bc5f67990d47434252038163d67bc498c6cc39c8b2a3c571721a0f28268fc0bd6f8a
-
Filesize
7KB
MD50488475b5d6f3611d00077c9f1676f9f
SHA19c1ba0f46a2cd9931db4f182687a0e5568575bc9
SHA256b1df1d33f47327ac45b839980c7fce5c9c6d4f76b8fb37ef8e4fc789cd4110df
SHA512a5ece239e60907da09efccd421c6c70bc39b58bcc4177c1910f02a89801dfb2cc7e69b3038f900f5b2635febf11442a196c63929c1e8ac957a0da1985ec4cf2a
-
Filesize
5KB
MD5d7bba71adca66bed86a02b219d090f6e
SHA18095d5a9d994161d19c1ba7ac711e791a1278b6c
SHA256714b0b1ae812151ddfb8055f02e8f15387e0c045b33865f910957fc52ca790f1
SHA5124fe342d18b2a5a30e64b3ef6237f5dedaae934a1fc5dd7f1de821c6ad878772c0c474bf21a39b1bd7bd46316963b57ced2871c856bd53a08efbd05e89442ffff
-
Filesize
870B
MD5a5237ae922c8024daddd9e8a61ad8ee0
SHA15f7bcd6647c930aa59d4d17d4aa5e5fad34788a0
SHA256d072108e2130003d96881563d52214f96f42576ad18f21535f07936016aa5503
SHA5126241f36b3ef65a109e5b8fb5007ee8accf2dd5b6b1e1ba1cf49e1ee07012866353ef3e0238ec577d0a1cf7494f8f20809dc41157741c63b9e0dc901da1b53e7e
-
Filesize
872B
MD53bde11ee5c5d009e131c873fcfb3f6f3
SHA1f4c7ce7a94402c0e3395f2b0911c5373976c452e
SHA2562e3b5850d5ae98e78254a99bd31f2c77976879c8ff5e8646b8b0a479dd841f2c
SHA51299556f68564d7af94a93330733f2e00401770f47ebb0e798548ad8278bca3903528d9e6a1fa21a203e3fe7d0846c03440344cde04169519af25c9d49fd11e432
-
Filesize
868B
MD5e4b1b2710b6881b4093297f13b1b695f
SHA140e8cdf5354468e6ad343e62884f8756183f7c9d
SHA256183480fa7f579ab05b85b601d0b4c65102a94e596193c22d5ca4db3db8eef3b5
SHA512e720ede8b90bdee0820c08aadcdc9d6d37964f7344fb1ba761ccddf3f94e4d7355aec3c89153beef4b878298ca13b1e99e21d27e0a02675a181654e08158e726
-
Filesize
868B
MD5adb6fc2c96e1d906c97b74eae41e002c
SHA12915b08ba3049a6e203a5633a6541cdf4ff486f2
SHA256a604c34d50682fd44cd1e74eaea1e4e6e0bc8589403158b69068afb87b97179b
SHA512c9fe291a35e233915f41ab05992915c648253f3cea37a3e1b81486e5a7e044fe465331209f82a5eb6668ad3aa97d25f265399fdd02e0b4779fb4e0949a7a4f49
-
Filesize
868B
MD529960bac171903877db2cf9c87188dff
SHA1c195fa43786ae971bfd4fa4ca04ae1c3e47dc6fe
SHA2561e141356be5c0e292a1c754aa2f91747b6ac890383a16aa4fb5d196f40363595
SHA5127a0de8d7120287d377c56ad00cc71d71abe5174f7e3a75649d30adc780fed42a60ce68e29a079d280e6a97b77705a725f714893090226455f392a517059d9364
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5bb4510ccf8692e99fc00d4518c302a78
SHA15228dc8fcd4b55c24278da90a6a76e35cb2822ce
SHA256686c50b2364212b3266da8bb59e89b22fb8d3b63122d5b057e682ab4c2764dca
SHA5126d037ebdc6ae54b732586fa604f33f5bf177afa2041b4a1641d4ff2f27051a674c0b8838d7b2772bb5e98c7a16e34935545702b810a29f40ec2c0a357c3475d9
-
Filesize
11KB
MD5c2a8a29f0967c496521c07f98f0b977e
SHA19fd3de64d7eaa03583569d7ef15410cc35939678
SHA256793e787e94037c5580aefe76d28db8007e91f472b714a68286c56eb862c9ffba
SHA5129ab0637ae82bcb632b4d992a4abe1cb9efd2eab70d051f441cb6312af98936eecc7887310c5de89c1e3c73e663b344878e2aa9c06950987ece947714b87b5604
-
Filesize
88B
MD50ec04fde104330459c151848382806e8
SHA13b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA2561ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA5128b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40
-
Filesize
99KB
MD56bd6fb9952fa18f6e52f1e9ef0cfb385
SHA1e1060312496d9e0bedf94df585b7863ec67ef42b
SHA25689ca04731834695e5a1e35404e6c408b3cf420fcd34c9e053f9a3075b4e2e6fa
SHA51204e89b9002406375764e6e8a369de9dde35c3836e6516393a84df50b1bf44b0bc0d920c30dcb781dd4679bc4b512f9d47997f193f16ad8779a0e9be06fda1483
-
Filesize
1.2MB
MD52d06bb1883376c02addfdae30c4674c6
SHA139256ee881bab5b8a39ed57ed4c486fe9a8dd70d
SHA2561d350c9449236440b90b533da9a3681d802230b17fc646e4f39fac8b06d28564
SHA51290545e90df858c97326e20de98bb86ad0ed25f50bbbe4c1563c71f9606bb697be5e63cb81e722bfaf594a3b355fb18d16d38f1a26e2ad3d12f837e60f1021926
-
Filesize
1.2MB
MD5267ef1a960bfb0bb33928ec219dc1cea
SHA1fc28acaa6e4e4af3ad7fc8c2a851e84419a2eebf
SHA256b462fedfb5904509e82387e2591bdb1ddfe6d12b6a28a189c6403a860050965e
SHA512ba09e6c6b71426e09214c1c6773114d0a46edd133d711f81960390f940a81a695550971b30c1d292109873b524db94b596ecaebfaf379e6c6bcfd4089379e38f
-
Filesize
749KB
MD5a4a164fa5c5e796e10b4d328ec8d73a5
SHA1a102c3367d3161a4bfe6c0988bcd891f744c9036
SHA256ea7601c6ee113edfc553fd5ff05c1f8ae21bd30d793c426a7b3a9dc5cce47dba
SHA512ca7b82ebb4b57aac7404d6553cc05871b618175d04022819958e479c31bb8361da588224223ffac1b3e448f51d24043c4e972f01d0da622d9545652fe6038f0e
-
Filesize
973KB
MD55dc4be46727c1853e63ebdd240ec9bd9
SHA16265b41bbecbb96cf666d2b4cbd6f209f44d7a2d
SHA2561df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446
SHA51259828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b
-
Filesize
364KB
MD5455347ba3d7b41331dfee6bf9eee794b
SHA16b4e14e85ec934c26fda86b0071cc25a1fbb1627
SHA256028b2964534ec73672e940b1d39800c01228ab40cfa923a7921d7726c68878a5
SHA5127126814a86b53bca08d83cd552d5dd5c7a2700d76855afb37cb0192ea1e2d2cacd4970df01c4cc53afb53169206a9b0a502e120f227d08d7580e45c555eda933
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
186KB
MD53a24a41f3044d90555f6cdea0f2533f8
SHA125a1913e9e41dd13039d023a5f63a050256c72ca
SHA2565e900b7d563b6dc3f5c5db7386ae7ea83ec512b1a72a1cac6d16d17110a90253
SHA5128d12aca702a3f81329fe0dad30b28269fd9933b5493e8d978080fbee9b66a1727b76b6230d910a9cda1ca68141b55ef7b63fd3f7de077eb453da7d8b44f5b837
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e