amadey | c2a80b06810487d7a7f9f999074dc2782625934d84a8d3dfcea1cf8a6f28f803

Analysis

max time kernel
115s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe
Size

1.5MB
MD5

ce40fcc1f95b0c6d4f7a21c08d49a17c
SHA1

703099eee297196e642eba4781f9542ba8fbfed8
SHA256

3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a
SHA512

968632c5d9f97024d2ae63bd9794d351ad1d5a43ba5da392c01e6c7a7a035a2e4e9d1ceb084baf108b2bb39bd1d2d410fd0dbcc5ed5c26afe3bc847b3042c9be
SSDEEP

49152:ncNhZC2U+qtQFaQmk+YP4RHugqtrW+P2Zf:AC2URaas+YP4RHdqtrv2Z

Score

10^/10

amadey mystic redline smokeloader grome backdoor infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-51-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5qE0fa6.exe6Fw0zU1.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5qE0fa6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6Fw0zU1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 11 IoCs

Processes:

MN8Pv64.exeBX2ON51.exeYA0cB39.execj7aK37.exe1AE97zh4.exe2hF6730.exe3SO24vn.exe4gY147xN.exe5qE0fa6.exeexplothe.exe6Fw0zU1.exe

pid	process
2512	MN8Pv64.exe
4288	BX2ON51.exe
2696	YA0cB39.exe
4928	cj7aK37.exe
1568	1AE97zh4.exe
3972	2hF6730.exe
4404	3SO24vn.exe
2232	4gY147xN.exe
2516	5qE0fa6.exe
3208	explothe.exe
1184	6Fw0zU1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe	upx
behavioral1/memory/1184-70-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1184-75-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exeMN8Pv64.exeBX2ON51.exeYA0cB39.execj7aK37.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MN8Pv64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BX2ON51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	YA0cB39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cj7aK37.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1AE97zh4.exe4gY147xN.exe

description	pid	process	target process
PID 1568 set thread context of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 2232 set thread context of 2032	2232	4gY147xN.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3SO24vn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SO24vn.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SO24vn.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3SO24vn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4560 schtasks.exe

pid	process
4560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3SO24vn.exe

pid	process
4404	3SO24vn.exe
4404	3SO24vn.exe
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3SO24vn.exe

pid process

4404 3SO24vn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2908 AppLaunch.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3428

description	pid	process
Token: SeDebugPrivilege	2908	AppLaunch.exe

pid	process
3428

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exeMN8Pv64.exeBX2ON51.exeYA0cB39.execj7aK37.exe1AE97zh4.exe4gY147xN.exe5qE0fa6.exe6Fw0zU1.exe

description	pid	process	target process
PID 4452 wrote to memory of 2512	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	MN8Pv64.exe
PID 4452 wrote to memory of 2512	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	MN8Pv64.exe
PID 4452 wrote to memory of 2512	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	MN8Pv64.exe
PID 2512 wrote to memory of 4288	2512	MN8Pv64.exe	BX2ON51.exe
PID 2512 wrote to memory of 4288	2512	MN8Pv64.exe	BX2ON51.exe
PID 2512 wrote to memory of 4288	2512	MN8Pv64.exe	BX2ON51.exe
PID 4288 wrote to memory of 2696	4288	BX2ON51.exe	YA0cB39.exe
PID 4288 wrote to memory of 2696	4288	BX2ON51.exe	YA0cB39.exe
PID 4288 wrote to memory of 2696	4288	BX2ON51.exe	YA0cB39.exe
PID 2696 wrote to memory of 4928	2696	YA0cB39.exe	cj7aK37.exe
PID 2696 wrote to memory of 4928	2696	YA0cB39.exe	cj7aK37.exe
PID 2696 wrote to memory of 4928	2696	YA0cB39.exe	cj7aK37.exe
PID 4928 wrote to memory of 1568	4928	cj7aK37.exe	1AE97zh4.exe
PID 4928 wrote to memory of 1568	4928	cj7aK37.exe	1AE97zh4.exe
PID 4928 wrote to memory of 1568	4928	cj7aK37.exe	1AE97zh4.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 1568 wrote to memory of 2908	1568	1AE97zh4.exe	AppLaunch.exe
PID 4928 wrote to memory of 3972	4928	cj7aK37.exe	2hF6730.exe
PID 4928 wrote to memory of 3972	4928	cj7aK37.exe	2hF6730.exe
PID 4928 wrote to memory of 3972	4928	cj7aK37.exe	2hF6730.exe
PID 2696 wrote to memory of 4404	2696	YA0cB39.exe	3SO24vn.exe
PID 2696 wrote to memory of 4404	2696	YA0cB39.exe	3SO24vn.exe
PID 2696 wrote to memory of 4404	2696	YA0cB39.exe	3SO24vn.exe
PID 4288 wrote to memory of 2232	4288	BX2ON51.exe	4gY147xN.exe
PID 4288 wrote to memory of 2232	4288	BX2ON51.exe	4gY147xN.exe
PID 4288 wrote to memory of 2232	4288	BX2ON51.exe	4gY147xN.exe
PID 2232 wrote to memory of 4556	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4556	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4556	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4064	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4064	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4064	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4268	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4268	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 4268	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2232 wrote to memory of 2032	2232	4gY147xN.exe	AppLaunch.exe
PID 2512 wrote to memory of 2516	2512	MN8Pv64.exe	5qE0fa6.exe
PID 2512 wrote to memory of 2516	2512	MN8Pv64.exe	5qE0fa6.exe
PID 2512 wrote to memory of 2516	2512	MN8Pv64.exe	5qE0fa6.exe
PID 2516 wrote to memory of 3208	2516	5qE0fa6.exe	explothe.exe
PID 2516 wrote to memory of 3208	2516	5qE0fa6.exe	explothe.exe
PID 2516 wrote to memory of 3208	2516	5qE0fa6.exe	explothe.exe
PID 4452 wrote to memory of 1184	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	6Fw0zU1.exe
PID 4452 wrote to memory of 1184	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	6Fw0zU1.exe
PID 4452 wrote to memory of 1184	4452	3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe	6Fw0zU1.exe
PID 1184 wrote to memory of 544	1184	6Fw0zU1.exe	cmd.exe
PID 1184 wrote to memory of 544	1184	6Fw0zU1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe
"C:\Users\Admin\AppData\Local\Temp\3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8Pv64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8Pv64.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX2ON51.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX2ON51.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YA0cB39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YA0cB39.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cj7aK37.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cj7aK37.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE97zh4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE97zh4.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exe
6⤵
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3SO24vn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3SO24vn.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gY147xN.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gY147xN.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qE0fa6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qE0fa6.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
5⤵
- Creates scheduled task(s)
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
5⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4404

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
6⤵
PID:2272

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
6⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
6⤵
PID:4892

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
6⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DFB8.tmp\DFB9.tmp\DFBA.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe"
3⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3944 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4760 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3536 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4480 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6004 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DFB8.tmp\DFB9.tmp\DFBA.bat
Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe
Filesize
45KB

MD5
d47666e1f07f52778be724e662338044

SHA1
b2f5093c41f44323f0e8550d00969fe97b76847d

SHA256
66f72bf041a3911680050b9ff6cf8cdaaff3349362d1cd7ebf7602f33699c574

SHA512
ead36e28c25a02d4a6d17ac6dec8175ed4b35253258228388a8cc6dc3188da3bb1b9cb2999c9ac25937fb3ec157d885ba79ccb1c0b8a69ce9456966215f2db16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8Pv64.exe
Filesize
1.4MB

MD5
e6a959a8b4e1460212bb7847bbc4e7aa

SHA1
a554e55ccacdd3da181ef8a2c5764e8a6a2faefc

SHA256
64ef4bf30e14fc9fa71c10bd085d39654dc5f7903b911f4e90a9b351c2c41882

SHA512
e3ad98d9c24e5aacc05273ad80a4efddfcd3be836ea2156bcbac6eacb0fe53ea4096ce667f69517bfc823810ddc4a9bfcddb571aaff8c05c29d56f668bfdde18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qE0fa6.exe
Filesize
219KB

MD5
f33a619c22fe75839239ff060d6880fa

SHA1
62f648780a48a3e4d9b274bf0109b4527d006e53

SHA256
af2e1cfc88e8ef97dc862794ce3f6a3b8e44efb6bbf2e46c7fd968102fdc5255

SHA512
9e88cb5079a5555bcc8f3c7d35131e2acf20784bec7e295191bd9869d078ef5b2d02ec63e981e31b5069078415f261d9825b9355893afde07df9a097179e05ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX2ON51.exe
Filesize
1.2MB

MD5
d50b0507b058a106ac6f96fd9d765f2d

SHA1
60ec65bdc063c63218da2458133772a7822346af

SHA256
2b885fc30cc3c30ae20e89c7aa71d0828af4eefbb7e270af4b57c22e8222da4b

SHA512
34771d8635ab739417aaf1db1cfbe109d78150337ab06f9cc6c52981f9f96f6fcac5ec6c81b91d607a16d5ad33f05972afc67341b259e5bb0c2e57898e57335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gY147xN.exe
Filesize
1.9MB

MD5
926dada2729ee3a9e410b6f0cf1ca34c

SHA1
3602347ae5c2349d9749d81c678b59a352394ffd

SHA256
9cc90bd83223d97d6f337f68499a749cb894c5bf83a5292fe874112ce0c31d91

SHA512
31d64261a36ef38b517f7e9d43b623bfe8407e7d1822f9e4719ab6e1cae36c2dc50e4c92e3aef8147083c8a7315cf9613a2db4b315abd80fd0774304625adbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YA0cB39.exe
Filesize
697KB

MD5
5a15f93d379eea5239d227eab848e488

SHA1
bab931de798a3aa783762e6cc9241549d5915de9

SHA256
6c60966b2c933b87eadc968cdd6a9d78b16f1cc32ef11538402df6c898cb29b2

SHA512
7cad21630a4bb709de194305ff56eb30c14bf1fd0df2cc0e7aa991bcb090fe05515d8d48530cb528012271ac597b715af9f33dcf625bce8cf6b6ffd01d389d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3SO24vn.exe
Filesize
30KB

MD5
b0cfa65bbeb6129a5355ba5fd9f1ac11

SHA1
87f37aee9fb0bb45a79f0c8e9677ac6f5203951f

SHA256
1989dcd6e167bbb15aa5cd8107d7e9d9eee7e165da35fdbae1ccf21458ac8b88

SHA512
fc06f52c36dbc302c2f6b58861b620844069e67170929800b7746da5f6fb6c9e9e7ff13bcefceb6a2fb76c26ae292c0cad96fdfd00e5fd5580a5e8838dae01d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cj7aK37.exe
Filesize
572KB

MD5
b8d477f33ea17a69c51403aef076e358

SHA1
e52bd3eaf40652073fbdeba394daf257534663c0

SHA256
09aadb08c937d8c1f1e3606b483a1d4f88b57c29b829157e462f1393a97fa109

SHA512
78dbd3ca775547f87d670f8f3edf2ff43b73b9cab2c486a62d6e589de4538a9604332d1b538c46214b107c72864caf9a5b216fc90787977b54eb613a1fbd3285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE97zh4.exe
Filesize
1.6MB

MD5
1a426cb8f9ac97c1bea72cab4f1c2546

SHA1
32e7fa3372dc121c27e1f66c3ef1122af1ceb3d6

SHA256
2852e1a8a77e92bf2f3f79c01f4b61c75e5b62f9d9a2da9d76011b9727092b6d

SHA512
059cf67e3e5f2dd1fcd0b6c9b0cb36421febc8364c107ae2bbbb0d3539ebb0ab042a2ba8f206aeede561c1eab387ae467a49dfeb2ce22854e38a090b9df7bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exe
Filesize
180KB

MD5
ddf6b527f049362343494f4de88d6343

SHA1
2f78fcedcfd8bec5865f9415cb06b2a208a15c56

SHA256
ee8a7c06a995129e7052b677acfd62142746430eaad70b4c62639c86396de09a

SHA512
a74a7c5acddc16b82e79db12978412d33a1cc330cf9df3a876685c3c01f6c63c999ec11fb8e42a55e0e9165587a8eabcb5fa14841e4cc585aca378948e8a9361

Download Submit
memory/1184-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1184-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2032-52-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-73-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-83-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2032-59-0x0000000007770000-0x0000000007D14000-memory.dmp

Filesize
5.6MB

Download
memory/2032-63-0x0000000007270000-0x0000000007302000-memory.dmp

Filesize
584KB

Download
memory/2032-82-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/2032-80-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2032-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-72-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2908-78-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-50-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3428-43-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/4404-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4404-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download