Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
Resource
win10v2004-20240802-en
General
-
Target
248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
-
Size
1.8MB
-
MD5
18cbe55c3b28754916f1cbf4dfc95cf9
-
SHA1
7ccfb7678c34d6a2bedc040da04e2b5201be453b
-
SHA256
248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b
-
SHA512
e1d4a7ab164a7e4176a3e4e915480e5c60efe7680d99f0f0bcbd834a4bec1798b951c49ef5c0cca6bea3c2577b475de3c51b2ef1ae70b525d046eb06591f7110
-
SSDEEP
49152:Eau0Bnly1l8B6hLa5vMIKHVo5W1v2mS0la98MT:Nfy1Wo+JK19eFE6
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral1/memory/2444-66-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/2444-69-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/2444-67-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2468-77-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 8 IoCs
pid Process 1216 Yt8ge85.exe 4068 GY4IC43.exe 4856 hE8Zq97.exe 212 1Zn59od7.exe 2768 2PO9885.exe 2720 3FD62NB.exe 2536 4Ii975UD.exe 4596 5uR3lF9.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Yt8ge85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" GY4IC43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" hE8Zq97.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 212 set thread context of 4608 212 1Zn59od7.exe 86 PID 2768 set thread context of 2444 2768 2PO9885.exe 91 PID 2720 set thread context of 3668 2720 3FD62NB.exe 96 PID 2536 set thread context of 2468 2536 4Ii975UD.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4816 212 WerFault.exe 85 340 2768 WerFault.exe 90 4148 2720 WerFault.exe 94 4736 2536 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GY4IC43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2PO9885.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Yt8ge85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hE8Zq97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3FD62NB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1Zn59od7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4Ii975UD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5uR3lF9.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4608 AppLaunch.exe 4608 AppLaunch.exe 3336 msedge.exe 3336 msedge.exe 3360 msedge.exe 3360 msedge.exe 2020 msedge.exe 2020 msedge.exe 4228 identity_helper.exe 4228 identity_helper.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe 2020 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1216 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 82 PID 1544 wrote to memory of 1216 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 82 PID 1544 wrote to memory of 1216 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 82 PID 1216 wrote to memory of 4068 1216 Yt8ge85.exe 83 PID 1216 wrote to memory of 4068 1216 Yt8ge85.exe 83 PID 1216 wrote to memory of 4068 1216 Yt8ge85.exe 83 PID 4068 wrote to memory of 4856 4068 GY4IC43.exe 84 PID 4068 wrote to memory of 4856 4068 GY4IC43.exe 84 PID 4068 wrote to memory of 4856 4068 GY4IC43.exe 84 PID 4856 wrote to memory of 212 4856 hE8Zq97.exe 85 PID 4856 wrote to memory of 212 4856 hE8Zq97.exe 85 PID 4856 wrote to memory of 212 4856 hE8Zq97.exe 85 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 212 wrote to memory of 4608 212 1Zn59od7.exe 86 PID 4856 wrote to memory of 2768 4856 hE8Zq97.exe 90 PID 4856 wrote to memory of 2768 4856 hE8Zq97.exe 90 PID 4856 wrote to memory of 2768 4856 hE8Zq97.exe 90 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 2768 wrote to memory of 2444 2768 2PO9885.exe 91 PID 4068 wrote to memory of 2720 4068 GY4IC43.exe 94 PID 4068 wrote to memory of 2720 4068 GY4IC43.exe 94 PID 4068 wrote to memory of 2720 4068 GY4IC43.exe 94 PID 2720 wrote to memory of 3444 2720 3FD62NB.exe 95 PID 2720 wrote to memory of 3444 2720 3FD62NB.exe 95 PID 2720 wrote to memory of 3444 2720 3FD62NB.exe 95 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 2720 wrote to memory of 3668 2720 3FD62NB.exe 96 PID 1216 wrote to memory of 2536 1216 Yt8ge85.exe 99 PID 1216 wrote to memory of 2536 1216 Yt8ge85.exe 99 PID 1216 wrote to memory of 2536 1216 Yt8ge85.exe 99 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 2536 wrote to memory of 2468 2536 4Ii975UD.exe 100 PID 1544 wrote to memory of 4596 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 103 PID 1544 wrote to memory of 4596 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 103 PID 1544 wrote to memory of 4596 1544 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe 103 PID 4596 wrote to memory of 1952 4596 5uR3lF9.exe 105 PID 4596 wrote to memory of 1952 4596 5uR3lF9.exe 105 PID 1952 wrote to memory of 3296 1952 cmd.exe 106 PID 1952 wrote to memory of 3296 1952 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe"C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 5766⤵
- Program crash
PID:4816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 6006⤵
- Program crash
PID:340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:3668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 5925⤵
- Program crash
PID:4148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 5724⤵
- Program crash
PID:4736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B20A.tmp\B20B.tmp\B20C.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffcb1c946f8,0x7ffcb1c94708,0x7ffcb1c947185⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18111602421623233435,14155396086217874123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18111602421623233435,14155396086217874123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcb1c946f8,0x7ffcb1c94708,0x7ffcb1c947185⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:25⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:85⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:15⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:85⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:15⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:15⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:15⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8960757692036535708,13909861599599444064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 212 -ip 2121⤵PID:4120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2768 -ip 27681⤵PID:3484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2720 -ip 27201⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2536 -ip 25361⤵PID:1520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5104
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD505c47c09d290e12f06bf360f7e8b8f2f
SHA1df54cf0efe8def1e66c6a39247b01d62591858dd
SHA25667f97e0884604f74b6ff575f0ca33208a1812acbbe361881bfd73e77566e1f13
SHA512b266a50f65cd637fc789c82a834c8ffade83870588cba7750aebf03148199ef30c564cd3009541c3442db043265163012b34dc309ecd3ca655e820e9362b6052
-
Filesize
1KB
MD5c2dc9268e5e0d824e80bdc6fd30a5710
SHA16bfdca717c4efe6cfcdef539a1693db6fd7af1f1
SHA256e859be58c9f9b71962ba8a2292b49f3335dc6c9dd2459e36756655aaa10f4e4a
SHA512e2a336bfeb851216ee15ca774f669b07e0b91274ed79a94d64d4dc92ebca4f65f3338a07e5ebd956cd191f4fecd3336fc9ea17a4d7f72b79302c269bdb84882f
-
Filesize
1KB
MD5832f87c1416df19f5dbf07216a9e60f2
SHA1cb1e2e3bea1ba79ea3fce3c9b92f6c670c12d82c
SHA2569a0c0f41d8554e7542310715ffc69eed99dbe7d530ab27f8c6b54efdd88d4ab0
SHA51292ecb046f400b850a1ce6cda328bada55586e6cbdc606be798f9e389fde5e20114392d9041e14f34bf2fde0db5f110e667c5bf81e75d83356180ed2a6c4e262b
-
Filesize
7KB
MD59952ad1b3114fbb86277934925a97de7
SHA1027e0d17984cb1ef4ec07d06289d34f6ac1020aa
SHA256a454eb672181ed7d705cac9f3dfa16e1e8b434c76796308b2f7324c3acf29fbe
SHA512ba9bd7682a3543240dd3049fb2fc5dd811ac166e4d94139495bcff5289e5d3543bdaab0b24bb83cad65052eeffb57c0a7d1ff616cd8b7819e23e87cbf0bc94cf
-
Filesize
5KB
MD51293673f15df21eb178e06d751420c97
SHA19853792733979d1127f4720863042dc51bc0e9ed
SHA2561b515cb25ec2f581c83f01fed216a09eff4a5e3bec046b3cbe3765c0449732af
SHA51241a0c31186d2ddcb80ed080946c666a39dbf451a30a88b9386ce07e87903dd6c921caaac8576ba0d0b446e41a2553024a413067abd7a7933613a6c1ee2f1a3c9
-
Filesize
872B
MD5a2b460bb86e4dacf499b1711ba83957d
SHA12d1dfeeb8ab2f9e7f4d943843d9f57c66bc3fcd3
SHA2560e173cfd3304f5bddfe8eaebf0039b49dd76155840c5becfd247f59e61c7756b
SHA512bc8a54e40a5fb89edb7eaa74133dde54d9333299c487ca134752fb15df7e27cdde51b3f0dcac7cc544f9c433acabbd7f6ccf3abeea28f5ba2812c12e0f5a8b74
-
Filesize
872B
MD5c8a26d122e13bf7d0eff94db14a16f42
SHA1c0f8771b827cae847a520421f4cf1dacf1ccdfd7
SHA256cbeb6a508a87776bed6e5a634fcce8a4e77be92a0e85672b937b65f5563d9a21
SHA512287cc17f2babe4684cebafc1c9366104ad870407d710de8da28dd9d9a4357733bee660d6064bf8da72b704e2d2b2a3e866d7d9ddf27dacd08426650f906ba646
-
Filesize
872B
MD50df3122b56d7d6d8faf53017760a66d9
SHA1b376113f4db74dda0aba63c1fcff966b30181263
SHA256124b32dec0b21c230357e2332bee593ed76fed3fb9ec64a719e214086627c0b2
SHA51223cf25fc4a33c55cef4f2b008821b342fa4818940aa41dc02047b944950a215f3ea5d6636cb5f3a48e30fb823860d2dce82c5cb54a5bff10093ce51f0ff10bf6
-
Filesize
872B
MD5ff932950fa09eb51a00faf830b05b791
SHA1fc6f0020567f85ebc767c569bb20e260d571bf2a
SHA256bab0653768b2ad7ace9f40140046fb9016ae1a568985e4e35b622e147ebce7b1
SHA5123fc71aef6428304d5fa5a63db8042abe7de170bd98d0da573d6360ccb67166b23a73bfbce4f220f5e654a512f98724cd2f44bf757b83eecd50b6271680a67d62
-
Filesize
872B
MD57e5f126cc93991fbd25a4b387c9bdee1
SHA104e09d44d10ed4bc379b505a78cff9d4798e6275
SHA256348628b0cf1b6d189e665e70a34e5eedef47c6f5debaa251f061d63c25b06ad4
SHA512bc0c80adf630450637062c1cc05250bc694d72350da9530ec38d22014ade98f1ac451b4df0bf9f962cef5ac46485b630140e2d965e16f2086477ddd742f38fff
-
Filesize
872B
MD5d5a358d66178560350e9b549c79eac19
SHA11653fff186b28fc346a3235ebfbf1e143722c6b0
SHA25660359f573a9a8f2edb28fc9d2b110e40ec1775e3550ec1805aefed91bc3d0804
SHA512d8bd29d456c48ace2450296e904312220e5cfdee9b993be5a4a19bdf3960da3b01bfeaf079c0615e500206575b7cad522cec9f7399b831b009de93fffcbe95ca
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5dd40fe2d08a823fc63ec4837043f7497
SHA140114d62ecdbc3faf5956ce242e9315e924804e9
SHA256062927001db94c46ce04e228e7b521eb93f12682c1a1d4968f70b0126a4165aa
SHA512e435aef8b6ac8d54512a68ba8876b1b48f7fd67e3bc1c6d69aa674bf91a80930263ba0a422c3460e8da9fcaed3a19b67c72da5170270f61b181bbcc1773b97e6
-
Filesize
8KB
MD522068e73fa86dda15073b3f1cb5c032f
SHA1f2a011790170688c38ca815a5064bd6e060d6411
SHA25642224da973d49e2f777595a1925c3973fd81a1a65a37fa8ed3674fee60583014
SHA51212f5b6e362de989ca39e9b5c34a2c8b6850324ad0b10d38f92fbec999430cb19a105af5c68b64cbbbf8875a31c58b1d13fe520beb10e741c011ff40a5e41f4e8
-
Filesize
90B
MD55a115a88ca30a9f57fdbb545490c2043
SHA167e90f37fc4c1ada2745052c612818588a5595f4
SHA25652c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA51217c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe
-
Filesize
100KB
MD5e0f8b21b36fee4e7738a6b5a1ab83673
SHA1e305d55d4d47bfa62eae5f8e6f34e5b133a6f40b
SHA256c567d825d19e24343647ed36c77033fb1f46f420384745a9734618684cb7d384
SHA512716e6624ff87c859d08e2bbcda1137a2386d30b5b9ef545daf2c6585bc3366561773b9ad6c719a1ad99f1bacb219544ae4556629b355250e2234a7f87d24e238
-
Filesize
1.7MB
MD5847ee3021803e4adaefcc00aa8283017
SHA187644df0985b5ef9791c72ce79f423350629659e
SHA2564611614d9c95b0d0e4bf4aa486cc700db6e49dbef7fa2726b20f165e6798a9f7
SHA5121aaea476c061160439439d2dadc05e451166faa5614ccf8960b592df6933d07c867ab8813c08026b8b2c35b20b03dc0d26641e228fe06cff8c4938367e515b38
-
Filesize
1.8MB
MD5cfbb3be155b12d0cc69e3d932fbb81eb
SHA1fb5ed48a80131043c4dd2e4ac69b4b38578f9753
SHA256fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SHA51238aadedee5bd57c7f475e96d74abbb0e671bca462c2c700b7a034e2d1513bd8aebc30b7b75bf1e8cd7b7e3a831e69d5dd0ceaee3d18ed296a2cb3d1b051164cc
-
Filesize
1.2MB
MD5252043d1805587b0e65a07f885d6719e
SHA12210de44be60ba496ea5d4068e715c1308066989
SHA25666839bc22b9c9f717198cf8faa64146fe95dff51dfbb8c0f61982f2e50e89557
SHA512dbcdb0b6fe37cf2c733b6683c2e245008400c84b59450f34a794e513955aaf392982e20f2eb2fce696eec2574fe15f699841748a21fce6a1e20a4381fd52f950
-
Filesize
1.6MB
MD57d377f5e1ba6597ff2cfe4f92639367d
SHA1188ab803c9926ff3448c458030f418099ea03407
SHA256c705efd2888dfbede96714b58aede50a28b3da45aba83a909cb104ce34dc735e
SHA5122adad69f3a358ad955b00c8d7826c396feef9d583407d4c7d53ce3e16ed760f148f553f49df5bbcd6c5c68b87bcf7e1472d3c789946b23dab7ae94b4036540e6
-
Filesize
725KB
MD5403a939a04b4384204d35dbc659bf772
SHA1a5424bc4b18c00fd261d71861fad75502a963397
SHA25675d5ae4d95b66cb33ccb1b8c39adda5b287ab6c44b11aa42b8f3351024fce1fc
SHA512860d17990d95694bd7e799b22e6af6fd93a20276439829e945f9aff079b6c708851e8b3e55200b8ef97d41d91608911a414b4a69c26e5593b9b4ca8a134ddbe8
-
Filesize
1.8MB
MD5ca7a5693b5b0e8b54d6dad6a5b1b86b5
SHA149da08ec9be5e002b0d22dd630182c3a905c76c7
SHA2562d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12
SHA51268ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158
-
Filesize
1.7MB
MD5144dc3c0a5275a93ff86f00b5c61b9ec
SHA1784168ab3c4711737656ca13dc4cb59ca267fa45
SHA256179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787
SHA5129af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783