Analysis
-
max time kernel
167s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe
-
Size
1.6MB
-
MD5
6b6f9e49181e1d03f78509aff32e0baf
-
SHA1
86ba4bc261b4a51042098accc67272b3a7b29761
-
SHA256
0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57
-
SHA512
2ec00bc01b105676607abd978e060cb44ba7a84261689181bdb137246998b76f0c7d067dc0cd65dd89987ef9c67d2fa4554f73142efc5f13405302eb2eb892fb
-
SSDEEP
49152:psD5WlljuPP+ZhBIgv2ldONz5DvLFETghmyN/Il0TF:ygZUgOrONBTsyNgl0
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe"C:\Users\Admin\AppData\Local\Temp\0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vy0oJ44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vy0oJ44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aN8bb19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aN8bb19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WP2gn59.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WP2gn59.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TH2qY10.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TH2qY10.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM7YC38.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM7YC38.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Uf70YP5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Uf70YP5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2QM7584.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2QM7584.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 5529⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hd09hY.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hd09hY.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Tc192Ss.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Tc192Ss.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hZ3pY2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hZ3pY2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6vF2hB9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6vF2hB9.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2C7A.tmp\2C7B.tmp\2C7C.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff841e646f8,0x7ff841e64708,0x7ff841e647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10344665489648964417,2305056941070000618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff841e646f8,0x7ff841e64708,0x7ff841e647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9720797573457906920,784314368744529582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9720797573457906920,784314368744529582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff841e646f8,0x7ff841e64708,0x7ff841e647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8321456446564218626,15796296623248580938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8321456446564218626,15796296623248580938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4132 -ip 41321⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5bfe742e1dc491c8936e04e9c19790b57
SHA194fcab66f2b04229f3140ef353a6f3611594be31
SHA256b51c86053a3a06d859a8cd1da484c1424f6fb67d6344d476aceea65b63f640eb
SHA512ea5e69a3d23d101513774606573575f901fe5790c233fc6d43ad7c2f7815e735fb00c79aa1b40f82d6753601fe198335db4e8292d3b0c0a988cd4c594220f191
-
Filesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
Filesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
Filesize
960B
MD55fe556cca1ceca42d84f2ac5be8c3803
SHA15ed0fd1bdd2fb208f751f784752d6d98316843c8
SHA256cd8a0e5ae17504b0c467df4f5756dce491172d02be036877f21f6ab5cfb513ea
SHA5127578809c8f6f2920913893fe2d535c42e9fee5c65c9912e4fa044ef5e767a6208ddd2325ce6aa64e4b1a5177595230017765b147f69e32cfdf77605f95795a1e
-
Filesize
1KB
MD59b6b27e28ab22d460cd69c2586a42b8d
SHA139e75974bbd288c73d32c7f69624abe86daea21f
SHA256af4b69a39c54c0de12623858c9a7a9a92aba02aa8b14e049b65d2b619fe8458a
SHA5120524d52670c6428c563d9abe53d95a9beaf9e79b87aceac131ec94504635270589a777553546daeccb349ec6003907f531247716c10b6a477f1c57f5c3a38478
-
Filesize
7KB
MD5e346917ff482bc5bb70a24403581146c
SHA1df0245df8656281f52dcc43992689f87b6a2f052
SHA256c10ff5c62407594a61e6671f52cacc56cdb699b6890071763ca3a9a03b2cf390
SHA5123dfae225f4afcb7dba06740515b9c5837fa4f2bc27d53822fab2213edc4172aff37cac191dba636929e06583609165d46a5c38b94e5e6badfcc5c1069400771e
-
Filesize
7KB
MD5aec952876e4f0256d129d964b9899eb6
SHA10cb341bdf68bef70b17a460507c34063de8d0077
SHA25615b3580f7aea59e874fbff25cb252dd24e23f2ef20b1259c344dd5505f634491
SHA5122c19d313671ef2d23d5d0c83fb6f8a3f643f66853c6e13ef5f5035e86cb6a439cd512995dacf8e1a78100229649d021e2994a111340ade4677364c046ee240e4
-
Filesize
6KB
MD54de3a9bd4f9538e38a298c0ffcb6592c
SHA1b7a8501fe3a3a2b665b6d69449e5cd8d8dfa5faf
SHA2567dba2258f4921cf8604bf47c9e143f104dca32b7b31d43122a859ad7322b14aa
SHA5120bfbd208ca6f3d1ff8716d98ad4bd76a1fde803d48f8297216f0800bada40a884acf157a01c1e487d14403287f54bb377ec5ad31ffa976daa57384e385d9152a
-
Filesize
870B
MD5e3c865a6f3bd1bb492a21732e534ff95
SHA16152e8b0842ef91618b3f2c0f04d5b01b11fe6fa
SHA256bbb4add42ea60511cb9a3b0796970fbd198bb9c0005f88f0317c902a81929f45
SHA512a1c7ef22ca206b5b9a29796c2bccab41e1a74c916a838167281fc31252eaca553120b40f36d9a160a33d49f5673c04a6c2cca954afca546ea1738bc95aa17c95
-
Filesize
870B
MD566d8faf6510f477481e37772ef2c1025
SHA1085bacadc08a41b9389451d4ff032419ecb00430
SHA25609661f083a39e9848db3fab63bded10c176a97d461e68076a8df0dd3ba34e139
SHA512429d06bce955d44b17791fcdafb6fbfa5ec666f90ae4bdd1ea566b347079dfd0be9b7bf292fd11d2b7dd4d0c2ec2ca54112009c91e438e5a92707eb550a7fd73
-
Filesize
872B
MD59c87c089e04eab0c6f833edb83f22d79
SHA17808236e58754f0ef9e75a52744c53beb8d10dd4
SHA25611f3343a8233a19e40a2fe09ff0f7dbbfdde61be80a7cc682073e321b63d08c5
SHA512faa1967e172f6d044f21242b80639fc1ee77a7d63927195f40f8d5f3a43821f57a7ceb8235dad3a2955806aaf6a136b01696f6eeeb8a892cc23e1ed931d09ffb
-
Filesize
870B
MD530d7e1bdefc2145197d4745565c6e8f0
SHA1225883d3ec43b9bb0ca281141e28939f683d481d
SHA25691dfe01f9f92d87186989300ee0503f37f3a8251a2b2e5d8b2d861d6926688fa
SHA512036d3b3f0654e5b1742beeb8270e5aee6772d75c2579bf138b7db8c915246eeb85533a7fe642eca3b7fabceb64e4498822767e6a2df6ff037635941e69ae9810
-
Filesize
371B
MD5b6d5dc8d88ddf6105592465d475889cf
SHA155c87b013bdfb61f0888a4468bdca0658646b7e6
SHA256ffcb5a1c4b94c054fdb86bb59aa3e966e63abd22014a49f1a3bc5cf3c66bae3a
SHA51264b2f7bbca5b90256cb13dbf469b3b0a343cb62f7b6ce73f46c271fc27fad715526656fb0a2698cf5f3594266df03780ed0075e0a7f7069f59413b794bbf2bc8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD513ecdcb8db54cb5a541468f2b2ccd2b5
SHA1c75e5d323c6c000607edcef065f34445e1736e5b
SHA256939505bd88ba9db81488f3e56a83bc400a4cee68646036a23dbadeefc49d0371
SHA512c65e7c16e1b3d3fa4fd37fd2c3b73b3d5f534276811a79e730fc32896c01eb122dcb649562a78bd4c51bead01daecd2cd5a669b9dd75c1b66e35f6f83594a934
-
Filesize
8KB
MD567dfbc70ad7d947375573ad8ca089c49
SHA11834a187cd45cb98f5607c87814de3f1cd047787
SHA2563f2e81760d2693b66a6984ce3ffde666b113fa4ddf224348c10fdb71588d7078
SHA512252ad502649c6cc23a65979d5a8c6c4472039ac796fb46a0b4cd38be98d230e0a67d0806fb02e93190d18b87a062dd2030a66bc47b31941ca5d7e14d1d39f992
-
Filesize
8KB
MD55bc5c4d5c36e063e88e683b94def06a6
SHA1c1646b658d3c5967b46f7661499222009cbada1f
SHA256b21d57eb76bf3a5b42f7c1b3fd9b9851cf32c9ce2eeaadfdefbaf944ca280755
SHA51247a9198bdb77e067a282c3617c59bdfd1e3197db1f23eaa24205310040ad87156f01751af5047bfddfcc8dd57f110713eed47762403d13b46796d42ee3b0fceb
-
Filesize
87KB
MD5e58787a4dfe4cbda82e82e4fc1ac0c0e
SHA15f76c0aa0010032c2d3ee5e4bab7580b30783671
SHA25651615e3ade1f0c9163bf808b32ab576cb2f8d494b511c6ecee09315fd8893aa4
SHA512c877e497e3a23161d2c3d6ed55b74c510d5075adce5542c9feac9cd7b4de26d8a0a5864caacd8d88349bb229562b14993249d2e85f8a161f3fd24d388779989a
-
Filesize
1.4MB
MD51aa3d037076d524ce93aa746f479e953
SHA1e57feb2ab32be514ca5ad4df1a7509b93bb6db6a
SHA2565eb5df5728cce0fb34e5790b678feea77c4b2dfa522aecfef3f7c738327f4701
SHA512c4440e0602910654978423b092dfd25028aded2542f13c1e27bbee6c711f818ab169b893222a1328fa5a35db890604df74a197c551bc41d9328ae9d18b445d94
-
Filesize
180KB
MD571e067c58bba188ff6991df61bbd3ed0
SHA194709e42db782e76700fa34606684f8016b9078e
SHA256106b06f2f1e28d36ceb766d6738e012952a364be425f117260e1f5a927636b1f
SHA5120bab9798913edb20c82271da67f7584aedc59569527bc4ba8d7d7e391b18179ebb7bb7dc7e2d98910a5d3e1bfc209664709fe13dc65426f86b44127959877299
-
Filesize
1.2MB
MD513819d2ef8f7f66234cc20afde10443b
SHA1a76abcaf910eb169209d9ff651152ef94d4e5525
SHA256556d7895f8f90bb287c0fd00eff4a6fd784e21e867d887cd6e89bea9f31ee213
SHA512036de462c3851e055123fbcc8bd532ce4eedd154f101267850f7992df0ecac26ccac821004b8493a2408f1de76b4c207e761894f5027e73cd8ee211bd44d6a06
-
Filesize
219KB
MD5c0ec4dd9c21915b44f2655e23aa50fd0
SHA1e4aa3c023576067ded7515f88e8782eb8a7af614
SHA256d84e1f98e3f3d364cb93e6cf4c9b993944be61ec5b674ff157711d11bfcb7191
SHA512a28ee2a17e08e995900596fee57a4c2361984e679c9a387735af92dd659b3faa527d8f437d7b3090339047b0e5be777113d9697992ae370567e4216ebb684c8c
-
Filesize
1.1MB
MD5fb9ec67282e955142284a5e26ff34f69
SHA1b93d91f57030aa7ebd78c1b9df2e89f3d0aaa274
SHA2564ea7cd1e48c4fbf1cb53e1523fa875227d41e8afa4a119e0db532e863c86af0d
SHA51222d9b20df0c03e33d2f4a9b0c490d8dee39ff6e6b32fed49ca565f4057885c5e07cdc567c11c997f23c5989f97b3dae5e75b1bb58dc20a7715605f51a53979c5
-
Filesize
1.1MB
MD5b0407079529dfd079dfa7804a3b0acf5
SHA1a78b6ff0b45ac4386daee3f0f8f764844578f8c3
SHA256fc2f73235d5125551906d4c5b962c19276ac46b943fc3575af399aff61759992
SHA512825ddac35d142a7afdd4b8e23ea575032ba955863073d6c900359862f3367362c58b5ad31a76182e301abf00ec85924f85d583064b35cf02d5084692744ed93d
-
Filesize
682KB
MD576133daf5123d791d05f3d6077b82da8
SHA1a49fcda04704afd6308f0a70ecd26bd93e728650
SHA256058e376103952b045ff8808c7b8f1a8427a7bb6d0a41247bf40baafd6fc8e31b
SHA512845fd4fb3b604d527da5a4fbd829b969e5acd280d3eeadb545325332ed9805ff50578d7ff232e0ee473b6c5115d0a9159d1e9daa67c8852995ed65ce93aa187e
-
Filesize
30KB
MD54f07adcfc663ae5ee5a051c471666cc2
SHA110c55d117b211a7df58af3b1b6c687d73d8d9297
SHA25680f8bf6f0da127882e35d77b5d8a4408db844963d26e479f17f62fef5ea904f3
SHA51298727b632863606aa7af8b2dc370f5886e968f3fcd1f9ae13959ef640279ee80c1475473dc3dcc7853236e652e8ec3a03753e3de5247945e57ebb5b1d81fddd3
-
Filesize
557KB
MD59886a5b5bb35d2fed26b537659042b18
SHA1f0b1a1e7a2c2a4cf28418d0e7c34a9ff65f90c79
SHA256f5e0abfbeb3e3787515e17feb68fa7257804b1b13eb93d42f1a19c0034a7be07
SHA512459bf851aac4b51d2872b72554f1f146e929cd604fcf9fb02d54f45bfe3b9ce88a07d62bafa9afaf2691ed2b084c29b067aefcc58b2782ea5c45918b2938a158
-
Filesize
886KB
MD58888c49aa48cf0ea1dc2be358624d147
SHA1055f7dc5635544ad131cc1331a59e866c9402ff8
SHA2561e111d314fae9689d28706c674c71ddaa6d7ecfc4df9d82560b4cc6dcb5a2348
SHA5128cb0c17f17baef58112bf01e14242b24ac9e300a0fe6083554b8a4aed029ee7cc7afb174980fec2f782fc2fa1fed5f3d607dac963dc6f4c636c0cf52a8d8e8d2
-
Filesize
1.1MB
MD5efef9300fa83ae3951a85b97a03791bf
SHA1f7223b49d8e14c9a0f197a5681f2fc01bf3b5367
SHA25698fe1103db4b9754e830af0dec07972af188f84418d0c6ca3f44d97ee3ef249d
SHA5124518b8b8d7acbc461f91570f2af7a94c260a9be12c6814c24dbc7ddf6f55dbb81974203249ed61bb7c2334468cd79ef26ad4cd33147a663ddf4aa195c560d9ad
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
6.1MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
36KB
-
Filesize
36KB