Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
1f5c7e49f271a5b8db3a281d063f1d5dc5abce418cd07deaa612ee48f24b5dd0.exe
-
Size
1.5MB
-
MD5
38b987fb5e2aec40b13a1b24030f7c30
-
SHA1
94e5ea5caa690ff493baf7b62aae684d17b46cf4
-
SHA256
1f5c7e49f271a5b8db3a281d063f1d5dc5abce418cd07deaa612ee48f24b5dd0
-
SHA512
d4fb9245bc8961952d15974fd5ef942ef93e1284fbca53881f61bed16251408b11fd4aa5beb890e24c1f5529bd21f74dd5553c2571a499d6f0ddb689ab02cdcd
-
SSDEEP
49152:gazzeCdgvm9FXBbb/i9kezNjWWVoGKSeT:JGCdv5BH/kkmCWVCT
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f5c7e49f271a5b8db3a281d063f1d5dc5abce418cd07deaa612ee48f24b5dd0.exe"C:\Users\Admin\AppData\Local\Temp\1f5c7e49f271a5b8db3a281d063f1d5dc5abce418cd07deaa612ee48f24b5dd0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xF0Av74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xF0Av74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eP9eA61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eP9eA61.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZV2AH55.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZV2AH55.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VC1Df19.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VC1Df19.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yq84Gp7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yq84Gp7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oS3507.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oS3507.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3LO19My.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3LO19My.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uR397nB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uR397nB.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5TT7GY1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5TT7GY1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fx0Kz5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fx0Kz5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6050.tmp\6051.tmp\6052.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fx0Kz5.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x104,0x170,0x7ffd7b8e46f8,0x7ffd7b8e4708,0x7ffd7b8e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5236 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9083959356658650893,8397831891171952343,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd7b8e46f8,0x7ffd7b8e4708,0x7ffd7b8e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,327779502614203371,1258826616694117121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,327779502614203371,1258826616694117121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd7b8e46f8,0x7ffd7b8e4708,0x7ffd7b8e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9842947506411909494,4320131203111025059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
1KB
MD51e7de2ab71335a4160ea7916c702d0e6
SHA134c85f31766c0d7404fb7e8a8e28daf4394cc845
SHA2568c2908a96ed355156c2c5521843f2989116fecf93ef2e4ccf8a4bdc9ff756abc
SHA5124eb3fad0d4cc9a216d1ba5296f5d6d75e00ef69bff05f3538c47cd0189b3482bda696acb590f9f225b37a36230e953bab0aa3ecc97f158161d09a80d156daa2b
-
Filesize
2KB
MD5644783f872fe7736e4a8ad746ac19a50
SHA1b175be48606410fd63dba5b02a1f2b1fe07c237d
SHA2561fb8a5c0d44b5947346795c20049cce1555b28d82fde1fea8e83124d28513418
SHA5125ae5e67170770a12e9d359de34ceb36a1998f6cd9edccc3b25012aaed6dc1e3930fef63f60fe3d173d6f344ea41e2989adc2b8a2e26d23a145cb089dda0a7990
-
Filesize
2KB
MD5f83f168fea8b6564269afe7c71d5a7b6
SHA12153058fddbe8ce63e4559b9184a3b8eca0a23eb
SHA2569a494e287ee7e4f62f120b941e3a03ac059b5b5fa8085f242c70c5dfd161d987
SHA51297574acf309165b2c0b7caebf4ae3ca33c7348de2c3e0dcbf4c00b4a309c9538abeb535b8832838c8384f3712cdfaa45ec3d083d4f7e4b49e74bd0ae827da969
-
Filesize
6KB
MD51de185bcbb7a0b1bf87996514773b841
SHA14800eebf75dde5147500e19582ce30c5a4e24e0f
SHA2563cbd6ead6c551d41f72b47a5882701c0ad886545f90c33cbab2860f5b90679d4
SHA512660445cab9c318efdb7704f8e98ac387c192f858cf4a22e18dae4b3865c5d15542aea0e136a99ea325dd42325bd8fbfb064ae62804f5b5fa00951aa3604253e3
-
Filesize
7KB
MD5b66010bf34c00902a314fdfd2ec7e310
SHA1c0e1370aa2225b858fbb1fbf5ee3b3b564c27cea
SHA256b93435568ad156610b800e348c7a344e4d456fc881761332b4c1b87025422b72
SHA512d43ff65e3068f48a59178794bbd2d38529e36fbb23380ad32618407bd02c439c96b1f3c52b155bdaaa78095e07afc1da29f606a72dfd5d6f91a37a3924f3be7d
-
Filesize
89B
MD5e5a520186172e3d99cf2d9cd7bd35c45
SHA17b4badee3e07beaef88167d618d942aee976c994
SHA256bcd5e53cae0412911d4639deb284e5b2f07e661752e822fb5dc6d239ba653724
SHA512685c4cc12b4ebc2f0f1b3831eb94240669b02eb9f3e86314ca5dc022f6866398a3fabc0496f532835665ac77e3bb81369685fdb756644409cc92a642bf83c261
-
Filesize
146B
MD50c96aec9ee03b8ca36643b0b9f94046e
SHA175b83e4c06319d79d0394ab026463b423decbc6a
SHA25619bc96fa59f43f830d252b6f49d2b912860b523c814b9647d706afdc4c1736b0
SHA512edeb2cc7564cc9f28db1a4ba8aa847c763b924d5867970904141bf2fa507e61b02d019e96dd1ae6500871ff91ae45c4986e205061250c4d4341a783b1e912fa9
-
Filesize
82B
MD5207a17dc266af52bf67c488d39d3f407
SHA10f1649057d3ece7e710d14124f8d11fe91ee4719
SHA25626908238b3eb6374346383d1d8528a484aaed9afad9233092685eb20ff35bb63
SHA512429a4eab0e69510d0bdadc3a89ef876405bad9221ce15151678eb37b2ed2aec8624de2fe9910a0f62b84ee1e71b925959b4f02da1dfe65b2466adb1a8817ab41
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD590a4ee6c9c25d5f6b4cf024f92bf8185
SHA1a3d01673ee13bcdbb6fee9f7c045b93a7f47789e
SHA256ede184d3661d41bd29aebaa39d03d87cfb9062af8bd8c221015bcc5172a98ef8
SHA5128610dd4a315668bd118850d8a5f29b37c0e2c0c6db7e31fb56c4b3b8c06e1e3e6d2639fbc7a20a32bd9322db5511b58a77d00117768197b359867f8707a054a4
-
Filesize
48B
MD5a58ce3f805d2ccb0d1fe653d80d0f5bd
SHA1e459b3b94fa431470c138ac87c8138889c73d27c
SHA256974b067de55a1b708c3b96aef0ed83ab25a422c322a72b782c2cac214bb5c48b
SHA512a9266df3f8503f5da96728cadea04a7ac03a99326e56a3e18dfd4afd095dca2b1f07ee4242cc0db965e62e9dacb352ed32eef82298254114c34c05ffcb5e6781
-
Filesize
1KB
MD56a9a1b4662dac3a35b5403d23027520d
SHA109996582a35f1e95792cc43255bb5403d3a8cb96
SHA25643e351eba9e238ba2646542319267bc57081a2806ff2bde8cab5d6b84f4afd94
SHA512092346be984a3e5c3b619c3267cc8184b92b1b5d16f42858bf092511494bc0bc24f244c9311ae5d8f012f85d4ebffb2a6030a9c5628c85abc9e0364638139791
-
Filesize
1KB
MD5e6c3de2fc68618974f76059c9a9c0711
SHA11b48e15538698126900519a71ce9578cd5c7d179
SHA256bc367931b340329721fb895565597041d6348b06b6303687572410c588ae5527
SHA512be6546cf3c5a227efdcd7650fff54e1e0c75d0a1160c52bbf81a7af8de078a679e21e20e1c15ad33ed2b7bbba94044f45f648c0b42868f84dfe6714eaf1cfd92
-
Filesize
1KB
MD51d065118d23b85146c6ab2d7cc939128
SHA10bb489a45cfcf67047a70cfff32306beca2e9f72
SHA2562b5aee41a19a50cf96166248673bf4d294016ca5b827bb67710be72c4ae25c2c
SHA51269c9235c293a2c2409842b93014afa1b6aad833ec43e2b1010b0fac3e4b67dbefce4ff3de3f61a705db279d435426096823d62d13cd0011d75ce1bd8d9e4b5d5
-
Filesize
1KB
MD5687c02565f3e1c50e13694bcea85f044
SHA1d03fdaf5be6cb8b6d14fc1c40b06ad38ee012e8e
SHA2567209c12f74efbd07f47bdffb935299834f69e44085ec9d0f530e56e963315bd0
SHA512b0e19a7966c63840056bda1a66536dd846d882c9e613f1d91e07c07dd6cba83c1657c7afeca56997438e469173698cbce27ecb31f060d6aa75b2c5bf2318d988
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD58ef20744149f4290b39d8ea2bba3440b
SHA1d91fd62745542d10cfa67ef3990b42492a91567c
SHA256236e7bade9592713bb8295c50beaa2ef4a0939d3e4e9a950a46fd38416a635c6
SHA512f4aa723ae46c82882c5ffda60dfb232d7de7cb1b84d80f64294fd4e3cea14e10fa30d018848be291e9b052f295c1b6e7a54ad1466d540b86bdff170cea364de0
-
Filesize
8KB
MD54aad11108b290654a3bbeda861e79983
SHA168231763d8a45fdc9c2e2a5e6de0e024b3835362
SHA256d47fe8403dc823d9fc9232fec6002ae0a8e88c65bc98f17de6759a57664a625c
SHA512bbc69f307fa03f3ea7bd699b4134f8912c6ac15030141c17bb9444b5408f0afe5be3d036ae0b6abd1d04acd4f7a661f69378993c4238ef8398a06f853c3307a0
-
Filesize
11KB
MD555410dbfdc8d03129a7624471efebf05
SHA1e4291b63073cade61aaae625349c3e20a641fc3a
SHA256ea7e252b6bdaa57f6dbe5def8100888461035ee0e82fddbac95662b33a02f6a0
SHA51204cf9e9b16c9eb848f498054cd2b6d0780c99a8e8b253500ca53697d761428838a88109699fe0d8373314a867eff7315557b55d01ddf6a332b423e5765d25914
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5022f88d8143aa843195645c28fd72c10
SHA1924a07062c26b568a07d9527dd35053055952acd
SHA2563bdfec566c595a0d4f976d8611dbb2f439149b3772dac615a43bf415600d2487
SHA512490b2f48c507384c24129870d39aee9379a24146bc05fb7ca8698fefd7cbce6c935fe092fdc9ecaf999f91dc9e3a1df3b7e0e9b60e0dae50f45b710d967a81df
-
Filesize
1.4MB
MD5cdfa884349f3da1755d61cd710d48d84
SHA1daff335a73d81889de2cbd0810f1c403efca3afe
SHA256e3509be6ad1a706b2301630635442b90073bbd5b073367244a30e70b0dd97f61
SHA5126e415362aa79dc3f4138e3db6d46bed4647e9191e4a8cb8b35a8f8a7686fcd0fea754a95ec3030a0c1dc2019657599776b14a19b98f4f88973212bd112d8f479
-
Filesize
219KB
MD52466c25d245c0e9ccf293f44969ec596
SHA1121b65fb22e0d751a265b323a5e3cc51da5c88cf
SHA25695a2ef61c343eb5fb6817dede479f01a369ecbe244e19973f883460dd9bcd53c
SHA512ca2765cf6799f9d14faafccdf4d965cdb8e3181471267cf4851f2e3f7e320fda9401779b71d7b1c066b16cbf5794064f67193ea496fdcba71ce5b02c64f84440
-
Filesize
1.2MB
MD56d80248f61b941db963baa72b8867fd8
SHA1a01da33f565fa7c9fbec310cbad13bb999dd57a6
SHA2564d6db3c2a2e2f54718cd478c3ace7f0ce6ddb9ed8f398850c2ea344836a7dd07
SHA512d3c43f48406899563aee2e3dce4e43e134ac204b00db48c3bd807c9eeec24223f559deef612d31ce772bfd480cbcaa8c13036e859cc72461a689b5d048e3e55a
-
Filesize
1.9MB
MD5f6a960e73b56f4fa26437ac5e12d7773
SHA196b2c9aa721bdd672501e5b07d12f61b6db86886
SHA25668285c53ce6f94bd947ead934a14efca01ae117452fe559954e943748713f93c
SHA512f8f13dbc76b5a2c3736a350ed2a973e7ba47ec20e2de6bd509ac8f67916e44b34fe06aee7973b2387e190277c8d4a479dabf833618eeecdd290ff4db46b6d3a9
-
Filesize
698KB
MD51905dcc5750811bb6f3f0c001ed7fe51
SHA12133cffa3effb835e03232b01d52cb226ff5596d
SHA25651b6cfc563df7a41b30c224fc0052060fb9509b86d01ef1761be0ab5e93db925
SHA5129bb99dfdebac37136dd26180eb5516b06925f5df5dd9609e2c331e8ce1f1ddf2ed41088c83ff460febc42bca5f96571fc0a86e8932d852aa523b7ca1283cf59d
-
Filesize
30KB
MD54f4e0a41fd3a536ea81ea1a46ec9e38b
SHA1ad7dd162ef0e10859bf1614de40f9debb258a43a
SHA256ff43f6b967470e6c20c03be67664581b0033d2004b5ecd9c152fd67623aa9eae
SHA51276cd35ed2234a490611b081ea9e1dc84cd142e0e1a0f699ec6d464a38ab3df484f60050c770d19e0d7ca1688058363eeaf8e71feddbe6e67e9a9b0411bbf47d3
-
Filesize
574KB
MD5eddb308ded1c6412a1f099d2b92b541e
SHA111ef46d3b0d500a2a812c3bd44cd809add5e8c8f
SHA256b02d00ffb8edad56f665886b51d5eb552265d3e8810e38b2328d416ee4f7abb8
SHA512250b6a5e1b9154e28b104c09b7d18bb203e861e7b3a7400682ffc82813c3b9a8f6f1795063dabdc885d8a16292da4ff647b19d5a72d5592cf7ab223cd69a351b
-
Filesize
1.6MB
MD529e9546e7fe835b413a5d65599213b53
SHA164d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658
-
Filesize
180KB
MD5623466278dbb4318945252df4d3e0560
SHA19f607589b20ae381948ad645de0c254a4bbd75a8
SHA2561b2fa3eb76e703c576a57a68fc679efc7346c659e152416c5944cd710fbb9a27
SHA5125b4a8d818ab5c276b5756db168dac8b687da9d6bc41e9ee1141ce563a67446f3857d5690e5f8173554146e56e70ba8db060dd4902a07b16439a6351046d103ab
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
584KB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
88KB