Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
9bb4d5e852f4f0e8dafc9fa5d996814b72fbf55fbc4c073b180256b253dd28fe.exe
-
Size
1.7MB
-
MD5
d860115954d36fe32bdf282f58920d4a
-
SHA1
9debe32061f407ed9763fdde46baeef949cdbd6a
-
SHA256
9bb4d5e852f4f0e8dafc9fa5d996814b72fbf55fbc4c073b180256b253dd28fe
-
SHA512
d5ef6ddaf01dcae2e90e6c98456faababb3cc19ec46c129bedfe41871220cd2390cdf9c313635f1dd41e6c87e8cf56a3461e21fbaeb237427c261d69e00a5110
-
SSDEEP
24576:+yCl6y+0QBGvV1IzDRUCW7oSVbedySGCsSr00DyvAnwMy7FTfnPve7c+BYhzuu8W:NClZHQB2VWn6esayStzmsyh7PGmEhD
Malware Config
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bb4d5e852f4f0e8dafc9fa5d996814b72fbf55fbc4c073b180256b253dd28fe.exe"C:\Users\Admin\AppData\Local\Temp\9bb4d5e852f4f0e8dafc9fa5d996814b72fbf55fbc4c073b180256b253dd28fe.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yS3wG58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yS3wG58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bv6ZN30.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bv6ZN30.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eM2di66.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eM2di66.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ow9aO73.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ow9aO73.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\pd5hR13.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\pd5hR13.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LR84Fz0.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1LR84Fz0.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VE7867.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2VE7867.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pR15AD.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pR15AD.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Cb753Es.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Cb753Es.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5bn5cH3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5bn5cH3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lQ9rf3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lQ9rf3.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Md3PQ81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Md3PQ81.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\54B7.tmp\54B8.tmp\54B9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Md3PQ81.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x84,0x174,0x7ffb071146f8,0x7ffb07114708,0x7ffb071147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,17096913754616965977,9183705355016005466,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb071146f8,0x7ffb07114708,0x7ffb071147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15877087768598167453,3202693807142329061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15877087768598167453,3202693807142329061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x154,0x170,0x7ffb071146f8,0x7ffb07114708,0x7ffb071147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,10000510146819633145,7192270706479772000,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,10000510146819633145,7192270706479772000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712052802.txt"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regini.exeregini "C:\Users\Admin\AppData\Roaming\random_1712052802.txt"2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5550b66d85da608e6e87825ab5a6d238f
SHA1be2dd0eaf485a209bdc8fa8354b1b89531466a5d
SHA256d9bf54be5ec481e9d164226d15fc7e1e47bca6595da23545a65e6618c43da149
SHA5120b91e89c450cc772629819dde015c611365d2cb294bd26896d76efa5fe2c2bed1e0516a23e2dc22aba30409b07b27b8794c23c2d612cba956593f03a70700cc5
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
1KB
MD5b7e32679ccaa72697db5b808a105a92b
SHA156d736bd86f9970feb8de6a3a79c3fc1ea3bf1ee
SHA2561ee14bdf80d3d7252e5fc9b0c60ab4cad7eb3d3d4550e829c593c4ab32bc01fb
SHA5129f573c44edbcde167601d358417843ae8d943da34c1506b09a8604841e1ec378484035f06a71e54b85f1bddd18401053ca8443b951090574ac7df6a4a6c02fd7
-
Filesize
2KB
MD5b868f49a581c5a3829b4a14fe81f44fb
SHA1a0a21ce42a4af982f0e7105cc2481574d8d7956a
SHA2564a1cec8f52dafd5224ba409a2c774c796dfa4e11a74f3ae86924ea688efde90f
SHA512dfba14a4f6f68c0cde18976a77dbb1e3ecfb9bd4b628a5b803909cbaeac5c915042dd78bd08d50a2a9ee36eb36f9589641e675cd85a0f89810ec64c7cbbdbf59
-
Filesize
2KB
MD5da1f5970a8f8e90c44a67f21aa5d2a60
SHA14c79d07a4374e94905107531c2d95f71228c010d
SHA2563e590a396ea27bfc07f91222774437999644cdfde35d6489d0437e0b736ad1d3
SHA512a8ff888a65911e9e32fc845b082bc24359544b990e42d2997e076954d433bb24e425675b36a752512e428d0f15189c1ed3f3203a68e9b5d48554991cafc88924
-
Filesize
7KB
MD5eb8c4573f3a7e4e57645a000d122a254
SHA1af7350fe28855625770f0e3e751f83be53df315c
SHA256357f6303b928d7d96dee2d8610b6d07d082b3cd594de14f42ae2d5730db2fe3d
SHA5128f8608a83d2333f093871b6af517b34fbf227e2b0371d0ba98a6cac83f3692e86eb2a33ba1f346f22374bc70c6721c3fa4825d100249b80cc430550610ea8db1
-
Filesize
6KB
MD5e5801da7b9aa51f41f1e3b5657d869f7
SHA1e1a8a7e5523c3cce3fc9dfa8ede2524f3675d54a
SHA25614fc3da0c5b016bb10e7511479301763dad0fb3b6e8754b7d58f28c1cd15f406
SHA5126c591444d57d7bb241d7c1a702223e9943445be0404e82c095337203afc39e5d955794ef8a7fce5b2743e67fa4df544f1fe0754d567a8ff98410753fccb23e50
-
Filesize
89B
MD5096c5dbfad783ee534d9b6e31727c565
SHA11d6ba2fbae81974ccf101c45460b995b05a527bc
SHA256e567c9b27cdb34a6f8eb044e9715709180b76735b8ee00551272dcc8d6aa504a
SHA512f01071999795e6e8a77214ed14e4d6effb428e263e2a481d9bca8ce1404ceda1e5b7cbdf85bf558006a2258a003665872cbb8b8fc360848734f1d8fc7bbf1b90
-
Filesize
146B
MD576256e4f63961b0c81f3c54903a90b7f
SHA1d9d3ee96feaf38ac7941dfb3912ee5ec7557d34d
SHA2561c5e46c0837c34f6c1f901562a90d596264f80cb390bb7f418e12e009eaa0c4d
SHA5123aef81951d93640941184f9ee51eb224d32576980682aba6ec3ba5729be0a1511131030530eeffb789b6adf773010207a15e5154d79f7f631ce43ac2ac95a647
-
Filesize
82B
MD5b6eee9e388e02f27884c03a50289d346
SHA1f6756ba85f70821c73c99b7336041ada465f351b
SHA256ed809129dbd8ba847535c99e6abed29e15b12f020d2ea123bbf8f9bb6524822c
SHA512e9b3edbe41549280cc8861d0614bf17377e9498f32f3ee8b7fac14517c70c61def2ca55d99a9a60f95787c5c58167c21ff1ff66834d7edb36458ccbf710956c3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5e6bc670d2ed4557f1324fd66f79b059e
SHA1f1f771647b9be8aff3189cc91f1f234d5085cf08
SHA256daee370017a7ad204250a04f9a29253fbb187b3a9b6694bddbddc5982241bd04
SHA512f3528e719e8aa72c2c72ff3b71d251ae4563253142faed1d7ac5c75e81e0860933ff927cc21f189373dbb163b512089ea010e33efa8031aafd35d1b93706f056
-
Filesize
48B
MD5c51ccde0ea7cee612925f8f92a00ef88
SHA165aa7e1448d6fab1485f9c5846f7a3c0ac530bb6
SHA25607f9de59fe03cdceb49b08c6052aa53f006348a723e01ae0b3fe8bb80d7c1ab9
SHA512a7167dfcb0a2f1c3aed991c4e4203466ec4cac67ac53e4d85ad7438da4aa9b331ea7014ac5ffc012cc7d26d4c5393a833de5037fa266dd424a9775350afa2356
-
Filesize
1KB
MD58a86a31cc70f677284918daf73bfc991
SHA1f488ffcccb0fe3211989c5bceb230236bcfb5dcf
SHA256947406c088826cbcea86aa97c57e32b8838af2b7179418b8b138578834394ca2
SHA512797d215fdfd64449f8aad835069f27b02685f9ebb589986f4bcbb8d8c52f4b1b8476e67de8ddab07ad3a8102b5d0e471688efb241d30bb26b8d2d173b29da5a0
-
Filesize
1KB
MD54a0ca6f208a7a2433f7c64580237efc3
SHA14a5c20c1985bfe731fabeda8535cdd8bbbd3aa90
SHA2565bc32402e5d8cbb375cd859ac6f73f35535f78c0e6898d1b3fc1f38dc4bbbdf3
SHA512051625d47ca311b3ef96f5f609be1eca48c69746c991fc0e903e09e1c8017e7e990c8b7f4b8f785f9942affd8d358ffbc752654d3a8a521a6f794de6c4860e6a
-
Filesize
1KB
MD5c48c355f0e1cface53c5e663d5e13414
SHA114c2d12695dcc8c3638384a058e3a7a3c4939978
SHA256fd6b8cf0f23f219e9cb32a2ac337a6b40c5a79d2268d57cc953c761caa80e8c2
SHA512a6f2df57200efeec9e82e1e344b2c70d857ad33965380412f625c128965acf3a2c62b9e70c8d51ff16fc3ccd544577bf468456caaed814318315ade170ad185c
-
Filesize
1KB
MD53a092d802cc58990e392a6d64aa7dc0f
SHA155e872f029999178790ca1a3f910876f4dee2c1b
SHA2567a53aa437dcba1411af1562f2881f237912107a347aefbd16a070b828d691f6d
SHA51243a52d5baa3535967a719e776374291d8a9fd36b55edd6beb8db04b5c6d916dca6741192e5792a64393f683f679c30dbd662b9970a09f1e05c8327460573e32a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5096fb2fe7b958864ba81471534eb48c6
SHA13ad5b4714a5a8618d657beb781ca2353e0a21c31
SHA256d99ef49422719055f562b445fc0e2941fd9d2a12d0771e0f30fa26c9addc1d5b
SHA5128e1d957285f6f98defa2a49073ac9c52f9ce5cccee6b0015bf8cf63b0583a698a34f210ae3668b06f39705bd1b6278d2c81b3e106673a5ceaf88b10908cc9344
-
Filesize
8KB
MD554c6f860e438f93387840dda83ffe993
SHA1ce347f22e2223c7818ff5e589bcaa7307d119463
SHA2566f1df426c3a0cd77428d4ac901e831cafe7f404f9ea3ebe5203ae6f0c1ec07f8
SHA512ad8fae7b6cda2dc58362aafc573f7e28102a05004c3c58d366e86ceed5299f3f667fe66d120392fd72eff3344e1ea46bf3ef445f82b1a983021cd5cbf7e2dc99
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD56b7a8ac605de29c5c0b7716a19482732
SHA1933e9f8614269476ecaa9caa367829f5f21769b2
SHA256b11444f57d40b125631e355aa89e6a34a19e4c074706a4a08af03fa3ec35dca8
SHA512d642ec237e4b786743c17c78b735ea1030081cc6022efaf90d1438787fdf57213183fc7472e390bda244b07bc5927ff6d20b15403ab6974b62993c946ef67d96
-
Filesize
1.6MB
MD588acc57952a9b2f6b6004380dd7b051d
SHA1ea9be2f253dc850fceb183b48b99400730d2b92b
SHA2563e6810257ed101452fb6325bce483df4ac384d9c6f807f1a740232d340b683b2
SHA5123d41d02b6708be684eab5e266e158cc4e34725e1d167b2ce4d8e5fece00c0e3ced07365724ed75948283651ea6c1dfa41d654f328e34343fb6e6196012e97f27
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.4MB
MD520fd96fae3fb8118b0fb6ff7b60e6cb8
SHA1c9d9dffaeeee9910a1daf2555a59009519328cd3
SHA2567de3b76436284dad4dea66e3a0cdbff0b472027cfdf0a3b12963a875b6522d1b
SHA51204c0c07ed9230c1b175e2caa88abd3af5067e581cd6e97041a4973ca15fbe1d59af34611e112761c66bfa73152e1f2312f66af3def517d07df1b92d37aaa2d83
-
Filesize
1.1MB
MD5f66e9966806ae7cdade4ee238dc29133
SHA1425fac3a277102a565246ed6f6f682ee5da452ad
SHA2562bee4a29d651b044d35e60530533ffbec58eb99a259458317af6f02ed22e78ee
SHA5121ac7b35a56cf1e792abb35f87c04b5ab11e2f8c22f30fc73ede17dec9890452706e8a3f471a6954a0453f3e932aca2f1c9af9300fa2bcdbc5bb3b3b169f6b43f
-
Filesize
1.0MB
MD5e422d0edcef6d3b5281f4058f2e26b9a
SHA16303a61cd41e1d66219c5df18303c9ccf9c69817
SHA256490155233337bf3674644abdebc8dfa24e5dcecbf549cfbb7beb28c9a907fa54
SHA5128ce9c0a6b809a212ead16fb92587f9bd9888dba7e8fee3e71fe9bbc61cb41b640d76a4427bd5df58583cd3a0fb9e2ecc329cfa3adb066a1c8b730b75b4d5add6
-
Filesize
897KB
MD585d59343f6cf77a4db75bb3d83af5ac9
SHA137400c4b27b9a2e91dd267d53142eee9404c9c44
SHA25653991ef22ac1b66248f13ab163b5a1b9834c1a7c42c06a7d2e197b6a613b8282
SHA5123aa7aa0c6989954a07b91c0c681c7a65d9d61c80a2eaa7747d6c322b91a4f012a0541f622cbbfaba3ec8311e4a34c419255419510bc4d820e22a17872a3c7645
-
Filesize
688KB
MD5781ccb934a1a8547c0cd03a552107c6e
SHA1278e5f17dfa290711d1bfe4855556471c035670e
SHA2569a6f25a90dd25d943fb812abb8539af91e1f33c0a0fbb7a78d8aebeac9086d1c
SHA512a909388d733bf1555917665f4809c6691c6d4f31ad1bdd590ac103feaa0890556c5c400e847d4d1781b919ceec839995791500506f2867dd9b0040f5c13850c7
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
492KB
MD54750a3181353b6184fda9b65f8ebe5b3
SHA1bbb84b5fbf7cfd721d948534de6c83eba9c68966
SHA2561c59399c42745f06ce7b31e5e12d419e66b0b7e1accefb8b8aba1e1e6ed625eb
SHA512a80e90abed4d116b252135ed217f22b62568e6d4a626004b56cc24f45338acf75c406ad2b61801d08d816285138d197b1a60b8c50e87cbb6f6d3790ab1e51886
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
265KB
MD515fe972bcfd9189d826083838645b850
SHA1d2bf7fee68e358fa71b942b8ae92e483536abf86
SHA256ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4
SHA51230f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
78B
MD52d245696c73134b0a9a2ac296ea7c170
SHA1f234419d7a09920a46ad291b98d7dca5a11f0da8
SHA256ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930
SHA512af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB