Overview
overview
8Static
static
3MDMAgent.exe
windows10-2004-x64
1MDMAppInstaller.exe
windows10-2004-x64
1MRINFO.exe
windows10-2004-x64
1MRT.exe
windows10-2004-x64
7MSchedExe.exe
windows10-2004-x64
1Magnify.exe
windows10-2004-x64
3MdRes.exe
windows10-2004-x64
1MdSched.exe
windows10-2004-x64
1MdmDiagnos...ol.exe
windows10-2004-x64
1MicrosoftE...st.exe
windows10-2004-x64
1MicrosoftEdgeCP.exe
windows10-2004-x64
1MicrosoftE...ls.exe
windows10-2004-x64
1MicrosoftEdgeSH.exe
windows10-2004-x64
6MoNotifica...ub.exe
windows10-2004-x64
1MpSigStub.exe
windows10-2004-x64
1MsSpellChe...st.exe
windows10-2004-x64
1MuiUnattend.exe
windows10-2004-x64
4MultiDigiMon.exe
windows10-2004-x64
1NDKPerfCmd.exe
windows10-2004-x64
1NDKPing.exe
windows10-2004-x64
3NETSTAT.exe
windows10-2004-x64
1Narrator.exe
windows10-2004-x64
NetCfgNoti...st.exe
windows10-2004-x64
1NetEvtFwdr.exe
windows10-2004-x64
1NetHost.exe
windows10-2004-x64
1Netplwiz.exe
windows10-2004-x64
1NgcIso.exe
windows10-2004-x64
1OOBE-Maintenance.exe
windows10-2004-x64
1OneDriveSetup.exe
windows7-x64
1OneDriveSetup.exe
windows10-2004-x64
8OpenWith.exe
windows10-2004-x64
1OptionalFeatures.exe
windows10-2004-x64
1Resubmissions
23/08/2024, 16:00
240823-tf47dsteqe 623/08/2024, 15:32
240823-sy293sseld 423/08/2024, 15:18
240823-sp1d5athqk 823/08/2024, 14:12
240823-rjcv7sydnd 723/08/2024, 02:33
240823-c17dta1cpd 723/08/2024, 02:11
240823-cmbpzszelg 423/08/2024, 02:00
240823-ce59mazbnh 423/08/2024, 01:37
240823-b1992a1dmm 523/08/2024, 01:24
240823-bsm5jazhpp 523/08/2024, 00:51
240823-a7p21awhld 6Analysis
-
max time kernel
203s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
MDMAgent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
MDMAppInstaller.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MRINFO.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
MRT.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
MSchedExe.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Magnify.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
MdRes.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
MdSched.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
MdmDiagnosticsTool.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
MicrosoftEdgeBCHost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
MicrosoftEdgeCP.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
MicrosoftEdgeDevTools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
MicrosoftEdgeSH.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
MoNotificationUxStub.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
MpSigStub.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
MsSpellCheckingHost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
MuiUnattend.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
MultiDigiMon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
NDKPerfCmd.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
NDKPing.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
NETSTAT.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
Narrator.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
NetCfgNotifyObjectHost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
NetEvtFwdr.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
NetHost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
Netplwiz.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
NgcIso.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
OOBE-Maintenance.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
OneDriveSetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
OneDriveSetup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
OpenWith.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
OptionalFeatures.exe
Resource
win10v2004-20240802-en
General
-
Target
MRT.exe
-
Size
188.0MB
-
MD5
6c6a5d2f148d503a61ff2497a3df0893
-
SHA1
7e7c1cef7edb6639e6744126e23f78c22468c8c2
-
SHA256
27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a
-
SHA512
6802cab34458e7711b21ea28cf9c53e08bc59a35f53aecbd73a1dd67aac3401406551a48929cce14c55d5cd609cc358273806ffe9f931af9300a8076d383c07a
-
SSDEEP
3145728:ehWmMmF5xzBXBurZpPTuFJajqq+YnNPSENNK6oZBSLtwgfpe/p/i/E5x5/pE5x7e:ehWilB/IEvCBNs
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MRT.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\MRT\45FC9137-F686-5667-EEC0-B0AB8036A337\MPGEAR.DLL MRT.exe File created C:\Windows\system32\MRT\45FC9137-F686-5667-EEC0-B0AB8036A337\MPENGINE.DLL MRT.exe File created C:\Windows\system32\MRT\45FC9137-F686-5667-EEC0-B0AB8036A337\MRT\07ABE911-9301-49C2-BA56-A1D482D7EACE\MpGearSupport_20240823_15280888113066-A7DE-7BF8-9ADC-A636FDE838F5.log MRT.exe File created C:\Windows\system32\MRT\45FC9137-F686-5667-EEC0-B0AB8036A337\MRT\07ABE911-9301-49C2-BA56-A1D482D7EACE\01daf5714166dc32 MRT.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\mrt.log MRT.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 MRT.exe 2168 MRT.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 MRT.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 2168 MRT.exe 1732 msedge.exe 1732 msedge.exe 3724 msedge.exe 3724 msedge.exe 8964 identity_helper.exe 8964 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2168 MRT.exe Token: SeBackupPrivilege 2168 MRT.exe Token: SeRestorePrivilege 2168 MRT.exe Token: SeSystemEnvironmentPrivilege 2168 MRT.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe 3724 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3724 wrote to memory of 1360 3724 msedge.exe 113 PID 3724 wrote to memory of 1360 3724 msedge.exe 113 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 540 3724 msedge.exe 114 PID 3724 wrote to memory of 1732 3724 msedge.exe 115 PID 3724 wrote to memory of 1732 3724 msedge.exe 115 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 PID 3724 wrote to memory of 5760 3724 msedge.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MRT.exe"C:\Users\Admin\AppData\Local\Temp\MRT.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbedae46f8,0x7ffbedae4708,0x7ffbedae47182⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:22⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:6540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:6380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:7760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵PID:7776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:8412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:8964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:12⤵PID:9016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵PID:9036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,378008086480153340,17647782258996325128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:9704
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6348
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:10312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
5KB
MD5d489e8cb03b6ab34bae161ee01a8767b
SHA1097ada6e9081705863f318935362119a534f2487
SHA25666b3ba6eebee9b2707500daf106afcd4b3ea4e68aea7dc6a78ff8328c8097590
SHA5120a26b2cac732c91edbaac5ac306da4839be7350059c73cda1c9599a2ce545710df9102e31de9860a52af4674b9ba2edf8799f8f09ff0f2748cb74a713376c978
-
Filesize
6KB
MD5e37ff339f259dd801af4e28e3c6238c1
SHA158ec6afbc5aa39d77b4b99920ed0572e8f6093e0
SHA2562e542a0dc16869d1915754bc66641295f5649bff4dad383de584377db0abdd88
SHA512e35bab228e5a9c29bf411f18e38bf63aec942a6a6c36a26040f7fe7a175f6af664796a5902dd2d28bce4aa5d0e64f1e416e0a1218e4945e25cdc4da9ba4e0b4f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e3fff9585bf66b667d03e3dca04a8497
SHA1c65846a215cdff711b871b8cd8fac0ada7373170
SHA25666d07d3ad5414a6ef27d3c20d1e92f562dd3725eaedc542a944cbd10791496a1
SHA512fd4f15d06196303d7651e781170406969d261b8f1f0aa461bd36d1a242a31c153882e0cfbd3cf7c56485ff5fda2de00e47e21e5550eb2b4ca7f029a74f19a935
-
Filesize
11KB
MD53ff4857643c6046deed20badb1698650
SHA1a2e06f8a074d503b169f9200fa30988139ce8fd2
SHA25645ada0d9f2e82a134a5741c8665a2a7365159ac256c647cdab53a750ee4f84bb
SHA5121bd21463056393336e296979d0768a252e1c7fc080ade329091fbc2d317583d238dc43470913bf4d5598fb639b4e19914f7bf43750f4465becd7e11252a8b151
-
Filesize
18.8MB
MD5984836eb2eceb2554d9a91b8eadeb544
SHA14c002b6218cfb0d3f301f1ec39e1731af3226e8c
SHA256dc1e3f25aacac110b79268648355612db457809b7b4a95fef87c85c2785a7e4f
SHA512ffeb937658e8af752ad8705ab9b2abf6355384c30aa7400f32a98a265911d348d7ba4f6c88f992d83d22ab6f484517700a82020d7080e9180faee77c2c7b3005
-
Filesize
607KB
MD5a0c4ac6378ce0313955dccfd2d9208a6
SHA17ee2f0f3bf4504f4f7bbc63cb5fa883711c13801
SHA256abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1
SHA51272ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5