privateloader | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe
Size

2.2MB
MD5

8c8f488d4517e6e6a7b335b42cd116f3
SHA1

5420752757751f38e1f1fec5fa09d31e5be4fd5e
SHA256

2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e
SHA512

ffaca884a9c07915fe45aebd3e36a377e77c488bc80f248744da91ebb143bc7a027cbf5e014445359a8ce34d1d4c577ee635ec5b9af6b6b0c47b1b98f33167d2
SSDEEP

49152:2hl6EoYK8uZlFR3Y9Rhdb+Ios4kX1B/MPS5UVfWRxRk:EvoYaV3q36s4kXD55U1WRg

Score

10^/10

privateloader redline risepro smokeloader horda backdoor infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

http://194.49.94.210/fks/index.php

rc4.i32

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3324-35-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Drops startup file 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe
Executes dropped EXE 8 IoCs

Processes:

En2hD94.exeXd1Pl83.exeAr9HT45.exe1LG28aI7.exe2QY0900.exe3gd08lr.exe4pE598kN.exe5NM5fM3.exe

pid process

4616 En2hD94.exe
312 Xd1Pl83.exe
4808 Ar9HT45.exe
1684 1LG28aI7.exe
3356 2QY0900.exe
3256 3gd08lr.exe
2112 4pE598kN.exe
3136 5NM5fM3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	AppLaunch.exe

pid	process
4616	En2hD94.exe
312	Xd1Pl83.exe
4808	Ar9HT45.exe
1684	1LG28aI7.exe
3356	2QY0900.exe
3256	3gd08lr.exe
2112	4pE598kN.exe
3136	5NM5fM3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exeEn2hD94.exeXd1Pl83.exeAr9HT45.exeAppLaunch.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	En2hD94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xd1Pl83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ar9HT45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	AppLaunch.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pE598kN.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	AppLaunch.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppLaunch.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1LG28aI7.exe2QY0900.exe5NM5fM3.exe

description	pid	process	target process
PID 1684 set thread context of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 3356 set thread context of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3136 set thread context of 1856	3136	5NM5fM3.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3gd08lr.exeAppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3gd08lr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3gd08lr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3gd08lr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4324 schtasks.exe
3856 schtasks.exe

pid	process
4324	schtasks.exe
3856	schtasks.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9801ABEF-6506-4696-81D8-3DE3538FA167}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3gd08lr.exe

pid	process
3256	3gd08lr.exe
3256	3gd08lr.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3gd08lr.exeAppLaunch.exe

pid process

3256 3gd08lr.exe
1856 AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364
Token: SeShutdownPrivilege	3364
Token: SeCreatePagefilePrivilege	3364

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

4pE598kN.exe

pid	process
2112	4pE598kN.exe
3364
3364
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
3364
3364

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

4pE598kN.exe

pid	process
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe
2112	4pE598kN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exeEn2hD94.exeXd1Pl83.exeAr9HT45.exe1LG28aI7.exe2QY0900.exeAppLaunch.exe4pE598kN.exe

description	pid	process	target process
PID 3080 wrote to memory of 4616	3080	2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe	En2hD94.exe
PID 3080 wrote to memory of 4616	3080	2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe	En2hD94.exe
PID 3080 wrote to memory of 4616	3080	2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe	En2hD94.exe
PID 4616 wrote to memory of 312	4616	En2hD94.exe	Xd1Pl83.exe
PID 4616 wrote to memory of 312	4616	En2hD94.exe	Xd1Pl83.exe
PID 4616 wrote to memory of 312	4616	En2hD94.exe	Xd1Pl83.exe
PID 312 wrote to memory of 4808	312	Xd1Pl83.exe	Ar9HT45.exe
PID 312 wrote to memory of 4808	312	Xd1Pl83.exe	Ar9HT45.exe
PID 312 wrote to memory of 4808	312	Xd1Pl83.exe	Ar9HT45.exe
PID 4808 wrote to memory of 1684	4808	Ar9HT45.exe	1LG28aI7.exe
PID 4808 wrote to memory of 1684	4808	Ar9HT45.exe	1LG28aI7.exe
PID 4808 wrote to memory of 1684	4808	Ar9HT45.exe	1LG28aI7.exe
PID 1684 wrote to memory of 5112	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 5112	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 5112	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 1840	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 1840	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 1840	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 1684 wrote to memory of 2028	1684	1LG28aI7.exe	AppLaunch.exe
PID 4808 wrote to memory of 3356	4808	Ar9HT45.exe	2QY0900.exe
PID 4808 wrote to memory of 3356	4808	Ar9HT45.exe	2QY0900.exe
PID 4808 wrote to memory of 3356	4808	Ar9HT45.exe	2QY0900.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 3356 wrote to memory of 3324	3356	2QY0900.exe	AppLaunch.exe
PID 312 wrote to memory of 3256	312	Xd1Pl83.exe	3gd08lr.exe
PID 312 wrote to memory of 3256	312	Xd1Pl83.exe	3gd08lr.exe
PID 312 wrote to memory of 3256	312	Xd1Pl83.exe	3gd08lr.exe
PID 2028 wrote to memory of 4324	2028	AppLaunch.exe	schtasks.exe
PID 2028 wrote to memory of 4324	2028	AppLaunch.exe	schtasks.exe
PID 2028 wrote to memory of 4324	2028	AppLaunch.exe	schtasks.exe
PID 2028 wrote to memory of 3856	2028	AppLaunch.exe	schtasks.exe
PID 2028 wrote to memory of 3856	2028	AppLaunch.exe	schtasks.exe
PID 2028 wrote to memory of 3856	2028	AppLaunch.exe	schtasks.exe
PID 4616 wrote to memory of 2112	4616	En2hD94.exe	4pE598kN.exe
PID 4616 wrote to memory of 2112	4616	En2hD94.exe	4pE598kN.exe
PID 4616 wrote to memory of 2112	4616	En2hD94.exe	4pE598kN.exe
PID 2112 wrote to memory of 1136	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 1136	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 1424	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 1424	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 4916	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 4916	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 2020	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 2020	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 3500	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 3500	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 4284	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 4284	2112	4pE598kN.exe	msedge.exe
PID 2112 wrote to memory of 4288	2112	4pE598kN.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe
"C:\Users\Admin\AppData\Local\Temp\2ac9284d26694cef6e105c1d2811bfa8f9f4ad619164ac6068f85f79fdc93c2e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En2hD94.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En2hD94.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xd1Pl83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xd1Pl83.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ar9HT45.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ar9HT45.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LG28aI7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LG28aI7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3856

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2QY0900.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2QY0900.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gd08lr.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gd08lr.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pE598kN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pE598kN.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
4⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
4⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NM5fM3.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NM5fM3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4004 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3716 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5216 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5764 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5876 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6000 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6132 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6260 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6376 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6532 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6392 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6576 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=7208 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7384 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=7652 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7616 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=4192 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7124 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=5076 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=4232 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=8408 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=6580 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NM5fM3.exe

Filesize
903KB

MD5
9c3438a12f204d85e88eeb8cf208380d

SHA1
8a051fefefcc80feebed806d6a23c68c5e1e1512

SHA256
d41cdd5fc35137710fdc218841b308302a6bcafeee9fbeb10d189a32aebae012

SHA512
cf9e781891266197ed086889ef02fe519a217554976155c0c358b9a419f8c7fcd6653c80e4a5f70b31f1a62f13a99a8b6e61c249eb18f55b2ec46752745d5a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En2hD94.exe

Filesize
1.9MB

MD5
54d5e3850664d2d133b9f6ac4aae5e38

SHA1
a283cc486a256e87d2ee9134aa5294619257654a

SHA256
f760bc9ffa6c42c9e98b7205d3650ed818e86c9b22adf2ecdda4d3cd97bafe14

SHA512
322efd78bffbfd2bfe47f74a7b0f4e13905442ba9d5746cab05dcbeb0a6362913b8552991944f45356fd495627a774f9cb75edeec28ff3393dd61e22b0e9e97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pE598kN.exe

Filesize
896KB

MD5
12122f69ba4db1b83e368bb906fd9180

SHA1
35068b8c407173fe9cb27e8bcb10eaec94133278

SHA256
ff7be8ac023512fbce342bfbaf936169bc2b57e2cff094598be56e946d78e1df

SHA512
389952b2ab2aa3d65c690b4b46671818520965fab6d4b8622f20c9ee4eb5c5585fd6814e478e0e78fbcf6ef6538099a4bfea103217ce5f0c6b362a8ef3c81210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xd1Pl83.exe

Filesize
1.4MB

MD5
b0cf184bad75ecb659d063b5c19c6e60

SHA1
0011718bddb1d46654ad939347ad3a211bdcc2af

SHA256
d3953bd3252375176f3851185d883b47c6de6f07fa3be88dbbc114dafbb870ab

SHA512
eb1c3a8169dd45592fb927eacf3cae1d5cc20b8bea342791c8747c6b5f6088d029b516075bbc77fee0cf69d399b42b9737530530c861b086750f8baa472e4949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3gd08lr.exe

Filesize
38KB

MD5
f819ac948f8eb4806aeb676ff874884c

SHA1
77656339dc0fe5d4e956a0c0ba96d0a1ccc67643

SHA256
6ad6e9bc9243d34f0761ad6e705280741eea7f3a48317e601f11fc6a48bf627e

SHA512
00945e59e2ac05337b77ea3637c8f47a001fe4b9ff2a5f829f4b2532400db44fbca32d6dd0cf7e09a0d67ba6c80fef54b778f75c74654f86464ff07db2f879a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ar9HT45.exe

Filesize
1.3MB

MD5
6804bbca6e2d48ce6248e965b1917bf3

SHA1
670315f21cf21d13aa238cc66da12ac40d9c525f

SHA256
d2476762fa4cd25d9cd276f1706c8688f873aedc1da51e5c8b3cd0782a7d4f56

SHA512
634e76d1ae7f1b59648d32351d1c545718e04f94e2af8fb3a8c24084245fffb7e266c309c0e2f23f6154bc8b2e26d145765625df111af553125ddc47e2b1119c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LG28aI7.exe

Filesize
2.6MB

MD5
a139e50031f0b4321caf0613125f06dc

SHA1
7f2f583c72795308fb55c04829a36775abab5e0e

SHA256
bce4dda38d3e5d7aca08d37d3dde722b3e2a9af43d161d9bce6c6f55e85a4fb3

SHA512
ed6db1e0c0ad4e86a1abb286221ecbb79d347c2393faee91c48ca261930b8c102be59f0fc59a2bad1f4f88bc48343ae7d7807522a1751ff46ed6910392fe31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2QY0900.exe

Filesize
1.1MB

MD5
72daa0fecead61db44fc0fb8f3dff71b

SHA1
1c7abea74830e019f105550f64f9d86596e261c8

SHA256
0d957fbfdf0e71dc7095e5cf9948561a959ebcb3fa0f8bee7c4d7ee6a9201e71

SHA512
21a9a852d1913029c7414a3f2e1c2784fdaf5553ce816df5fabf0fd6d86454f6b3bef3e172912cfee04dfb05b22c25b48fef78b2d91937df8d897e0922233233

Download Submit
memory/2028-31-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2028-29-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2028-28-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2028-53-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3256-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3256-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3324-61-0x00000000079F0000-0x0000000007F94000-memory.dmp

Filesize
5.6MB

Download
memory/3324-62-0x0000000007540000-0x00000000075D2000-memory.dmp

Filesize
584KB

Download
memory/3324-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-68-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/3324-72-0x00000000085C0000-0x0000000008BD8000-memory.dmp

Filesize
6.1MB

Download
memory/3324-73-0x00000000080B0000-0x00000000081BA000-memory.dmp

Filesize
1.0MB

Download
memory/3324-74-0x0000000007810000-0x0000000007822000-memory.dmp

Filesize
72KB

Download
memory/3324-75-0x00000000079A0000-0x00000000079DC000-memory.dmp

Filesize
240KB

Download
memory/3324-76-0x0000000007FA0000-0x0000000007FEC000-memory.dmp

Filesize
304KB

Download
memory/3364-54-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/3364-69-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download