Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe
-
Size
1.6MB
-
MD5
d4d937fe82ff4a99aab43581fb89ec9f
-
SHA1
fe92b474f9c335d77cbc3a12be2a3e0677038cf0
-
SHA256
b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5
-
SHA512
521c788a60c2f60327f28d79e53699d47d24786b9aa3af9403d103da589459e2320fb751a9803686f74f50b204387827010a96cbac5bd45b4c6947827b919a1e
-
SSDEEP
24576:OySD8YKtnyEXKS+e1RpuiZU498QkiRimacgdx9We/12zCrzi/O+O1ajULtfT22F6:d++tAde/iQkUipYet2zCrz1d1ajk9
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe"C:\Users\Admin\AppData\Local\Temp\b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jF3dl08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jF3dl08.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GU5lD08.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GU5lD08.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ff8hQ09.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ff8hQ09.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tQ4Ct24.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tQ4Ct24.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dx2cC84.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dx2cC84.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1EV04Vx4.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1EV04Vx4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Qd9357.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Qd9357.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nd59wD.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nd59wD.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Kv029eK.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Kv029eK.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qf5VN2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qf5VN2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bO3qV6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bO3qV6.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5C2A.tmp\5C2B.tmp\5C2C.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb17f846f8,0x7ffb17f84708,0x7ffb17f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1297404724063226691,7093654282324757504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,1297404724063226691,7093654282324757504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb17f846f8,0x7ffb17f84708,0x7ffb17f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5640 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1244980223894217684,9134526717236917768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1404 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb17f846f8,0x7ffb17f84708,0x7ffb17f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,17942174140388207893,3074611669466890040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 18201⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
1KB
MD5b837cfdbabbd189552d27e1259688c8c
SHA1ba552e10b5b8c99f3f58adccfbf422bdb5631ab9
SHA256dd2c9fb9ac0572a65f7c12387633316f7edae2423e67765695cee23be5fbf5fd
SHA51231432fc8b3c4b1c09b34906b8c9d5cadd9edc6f7845d4571baf94ec3c0bcc09d53649b655b44aba60c0b992b6fe15feb89f8ee137961be011c7661feb9aaba71
-
Filesize
2KB
MD5cd5ec6bd8b8d26eeb4b3b1126c15c670
SHA1784dcbe83379e6c979b78abb2ccd84cc972a92a0
SHA256b66b4fd74b1b0a9016dd4386661906afcbd1bee16e27230cfdbb53425ecf2d81
SHA512a9013f1a6a105207df7a0a49dbe943f680bdda69c11105b8f4a26335d77c593f1c6373d11593b797e85a263a638967fd449d45554e4d0d277a4db1ff30d9212b
-
Filesize
2KB
MD532f641fddc10e42044c725d6220f516e
SHA185a347e9bf445c90b287b811094a2e3f6b2e5f2e
SHA256f4cafa4b35ad617bf44d0d1f956725fefbdc289b569cfefaf78e496e5a5b7910
SHA5127f2ef211667a9c1e11876db0f2a643b0c1ffdbde0345a3c50754be2973ed47d7925fee12d81ef4b52b1954f3323020ba0cd6f9173dc48dcee951171a8899b014
-
Filesize
6KB
MD54cd0aa2a39df5356eefc11355614b2f7
SHA1ac0c4bd6043a5f745bc8151c20071d7ddf3583fb
SHA2567f7d2c5c213e40ed2fb6b3d406fbb28bfe41852f5445f95385d2b9c688ef26e8
SHA512bcf4ddaaac8cdc35d036715736efcf168dc9c15bd056c1f6dc93d0c1d2c2b1804522af3596727f61c268d72b726cda7cd1802a1deff9ed597839501995b0a9f8
-
Filesize
7KB
MD5b5c7b86fdb68c1047185398219b509c2
SHA17c192a98cda5804f90ae41cec6ceef9afd2cdc78
SHA256c178bdf79e6e5ec70f6dc4a3986a38c4c94ad0c2f71334623d174678080cf655
SHA512dcb071579202f2fb48384e53dab7f625796b07b91869e054b91cb008141ae8f09fa5fe519d4365701ae9d63065be8e651fc389a9710d55256196af2bddf90a2d
-
Filesize
89B
MD5988759cc349a70517edfd8f6f89abfd4
SHA1a1ab03ee224adf5fdd19fbc3cdbac19bcf8a06f4
SHA25669f2b5312202383ef5d05b3646f98ccd7dce7892b4606f2605bb49555b3e3f23
SHA512c0fe7d771eaf0c5f1e92c50d565451a2ed7e20dffdf71acc5394459ec7b0a745358eaeccf515d653ff91d3c714941e946f38d5dd031aeb8fd2e6d71db6394e23
-
Filesize
82B
MD57c7a4ff6838b748b9906cfe35244a5a1
SHA13c08c54c7d091e8b976a758ad984b01caf895995
SHA256263938e7f343daa2a2a64c6e6430dd2a4e9444f3f95a3152886ef77f8e030113
SHA51207931f033914c8c2fcf3fa9ade14bbc304ed6418b202ca37667c91c6ae46e2ac6d0d074588a45ae391f0e55bc763c3505e76b97ed36d2077e423e1f853028bc7
-
Filesize
146B
MD555e18d724641c21c6f7d1bb180583f74
SHA1289e20c0d907fa3fb3cb9640a1861ae3e39008e3
SHA2566152425b95ea6bb20e794fb054662c4535aecdc89f46353a84ebb95e667680ca
SHA51279fbac42eb3d46331c9dbb77b694afde0e21a89c35ff4b0c9d5a9d5a7cd164082c6ef08e070fbbcf762002dfa59341769d66c2de35dc122f51a70c4b052739b6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD56825ef62da00179d660a31c799c3053b
SHA1855c8edb2b125d632d2dec947b29176cd11b41ba
SHA2569a8e01c074ae75c260619263e41282f7282ca6f99188cf1112f943c266d7e59a
SHA5120b64573b28f00c3a808b0cb86ced7ae3cf32052ccb16a270fe73a8631a5acd68944b6ca11edbfa00738c66a4f3ca83a97b737bc3e25262bca7a78810f415e2e4
-
Filesize
48B
MD523fe7677fcf3f16e4688f1ded8bc0462
SHA1be8f40bce83ffbce8c3f9957feaeb6b9c53c3e10
SHA2567ea754cc03533b9a44b677681745de373ff52013210ba90c30c7b1ad71d6daea
SHA512feaa680bf06ec26a9ba38ffab1dc5b5e567ac9dbab37eea7830a4b4dccec42479adfd0d698eaf3c41a52c481baf33af88c2359a751e6c65899d3703dfbfccb01
-
Filesize
1KB
MD5e3c798b46a27a77ce098e3f440e90208
SHA1ef8fbcb3a0b85c0b6765004ed22509772d56e066
SHA256cbea4e47556cf8649b6a35a57f4bf32c7207ce1196972db4c85f38ee2d250b79
SHA51299ff18ae9a1bab33460556aaf245f34f5ccb5eb1f0e048a9513417ae03a49e4b413ffddbe9b33e687db888d7cc07607268cf8375423470b9ecda38175fd0f1ad
-
Filesize
1KB
MD5b83c0f7105050310134d32044993bff7
SHA1781e89a8b53560fa5b77dc4f6263f5dc20c8bbaf
SHA25604d5325262c637bb592b1314ee456e711239659f77070642c70337f0df53d69a
SHA512f34a755ba34889c2ebdd5aa18d3dd325dad9949456325a04a171e04ee0833ba251edde74776149752daa3d8b3a91657dd6e590b2715c6d9f21cc9d1381028206
-
Filesize
1KB
MD573bf8098f992b233bd0b97a9a2f0fc40
SHA1b182d025df9d2efa7f793814050bca5df1851746
SHA256c0c85472b3be8c8c05f59868339388acaa85b79e1b27a4ab6821dfa9407679bc
SHA51233a3639cf14b474e5262a04bda51bfc2f64093ff4c9217e1ddc8a1bc2e13787c3a790cedfb0ea0e4d8bd08c37512a15641c59ba725a2bac1f5917414e99bef98
-
Filesize
1KB
MD5ee5ac941c368975d8349efd6a2a086cd
SHA1dd855312fae0726c7e475b392fc10377a86cf7c8
SHA256ce7f94cf292aae65dc0b66398f5fdec7bb6461f0908d386f52e100458fe88924
SHA51256d6d645a18c26f8140df4928c1ad4a5ae61d24093f6ea85677b320d254241c2a8e2f5aa01b72b79f5a72f31b253f46d9ad817ccb58b9a7e167645092e7b222b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5513147c8429f6b334518ea5da01c93e0
SHA1d281c584c4b9152232607ca61a2fd1e0861dfa00
SHA256644ac66f6d5fe2e49b6d4fc53d374e6614bcefb0b30c0c72851dd201b0e00f4c
SHA5122a979cb3e13ab3f4b8ad2d7a1b861d49a73f3b94d488446310fc0e97577434c90a2676d68a70ebde1eecad35271a518488ca4ec25b6070bd65aa48d11530a189
-
Filesize
11KB
MD54e6cb62bd0d6d94612b6f4ea894442a5
SHA133263ff5d675d3390d1a0afcdac7b1a5828070e7
SHA2561a234ddc56ab435a5a98649bc963c8ca65708621efc6420be72cf86d313d8383
SHA5128802259a15c5dad638ddc59f3747111833643c123fcbfac5f8908e920a7930884ef85d145ecac0ef00d0b7a20cf5cc4d9bb460b7758d3376c6bc0d1b860272b2
-
Filesize
8KB
MD56022f7fd0770366d9c255adf4302f6ac
SHA1d4361353d0bd49295f9b7133a98826cf927e46e2
SHA25644e13587b0abaa9c19f6ee7074a3df2835eeda35acfa37083ae5fc85e5d467ed
SHA512a044a4c794846b2cc3b6b161395801b67a9256e98db8332c8483c178d942bc65e8fd2f89d03c8d8164c05dcf1f2b6de398da53c288baaf482039e20d0e41ec39
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5ec083492f9f0b17ce4f7402eeb9e0dd7
SHA1fa7f2cf93fb07bd003329ead26c63cf1e8ba4299
SHA2567b1ce8561335c18331ec3e591b13f478896a5dc5c699de8660c105a4a22dcd5e
SHA51287a8b14fdbed7d0adca32c953c70ddf84afb3fe05a91d3ade7b3e08197061833ebed50f25f2f1c6e214e0fd740cb852543e6fc6ba58d0a0f00f150306f08f545
-
Filesize
1.4MB
MD54c53fbf14494b6cd45493944018118f2
SHA1fda4ae283b70b107ef5f9ceeecc54cdca76bab88
SHA256d661fa15f79f8248884a2b9e5a229a8017393ddca4791abb4850dc4b178a422a
SHA512e327d3babc443502fed3f78a3e29dc8cfacdbbff4bd4629ddfe8512dd2ab0e76ff6317e7e610a3898be1c71f5d27b6e8935200146f575ba5bd9624282f8b69b6
-
Filesize
180KB
MD5dcfac39d20d74126a22a10f173d4de4b
SHA13c9b1aa139a5b72e103b08f93b0f7cc3c536785e
SHA256256895e6954ade36dd2e510e96cde8ea732aa36ebab655682ec49531dedbabfb
SHA5126551cc3a1a7186f7b8dd33df07dd6d39e43b034735b4b7bba0ed92023c9eed08e15507b0368258d6d74c6ca169bed2f7890a6a40a0b054d4507a60b970cb5a93
-
Filesize
1.2MB
MD5fe181080e72086313526413ff818f5fc
SHA11d7a9641824497c0eefd970fb0a54d38108d8ebb
SHA25654dd36e249cbf6e5f54c3309158b929f864ca2e349e7812c8aa377eb0706e48f
SHA5121d52513b60f76c331928ddad81f17ca621d03b33503831554afd62e5f7fa1aade3adba14059531d6aba5c9e8f7aa34c99678354c3dada3d3a74dc28ae4916388
-
Filesize
219KB
MD52adc73cc227264a2b2cb65605e04ddd2
SHA1d8f25c99f0d39b01e2dbd12ab1a8e559f2701458
SHA2563855c50036648f2ad569d7dc85ede5bd55e0ed7b8ec45ca108cbc321c4c1272f
SHA512fe4170c1058396e9a259a95f1c8960abbaa7a6189af60149ec0b467a5038145daae751d9aa44ae07f5566a7de52038c4315f71ffe4340609940ea7bf65ef0f12
-
Filesize
1.1MB
MD51d9d511a6d2a8743d15242a6a35e71ae
SHA13db17ee8cfd1ee01f4d26bd6da4564e6bf19629c
SHA256302990e72db4d6a9bb10cb67f2c9e29662a04c64a963a44e43e7964b93779ee7
SHA51291ddac4a483ecb994f05effc5c155cec7f85e50b2f11444fd9807a287e40a5bef700baffa260ff7fb5e946e9a039e38828b8a54338a0e4803a98f48a20f65ad6
-
Filesize
1.1MB
MD595917bceef5fca8716f25b0a44c6a081
SHA1190afc3788a4d9efdf440a0ffb7c5731ede3a6e6
SHA256ea54047b72c1fe2e67e639b88bebc27d71aeda525dfb4f5ed8cd1c5d3225a57d
SHA5120e17f462126c7db9e589e260ceeaf94848856c82a8404806725b504bb2ab6214df957cdbef10902439df61daeb8585596404d5a61a76d92d0e0343456b0ff070
-
Filesize
660KB
MD5b2d5c98a2cd42f96a2aea6356ca89e08
SHA127b13c0e76240dc50068094d19fedc1c404665e1
SHA256e9e2131227858b984af0d80c5d7899c0776c0ede43ced95ad546fa4bae1598fa
SHA51277090b0efce8ab0cee36d4e6b7390301fbad2d9779142f4e56f26a554aca92b7fd5f20afa74b2ba25b8eadefb02aa48e9065f7524d4e3c5d82e382ee5cbfa231
-
Filesize
30KB
MD50088d891f0ccafad63181e8dff1e9575
SHA1b5c09cef3d91a010ceb2da45edef303e0d7e5361
SHA256e8ef41e2a49a71b66681d19dac104d5f45bcd980d3bb741c929abd3d6bebba4b
SHA512658239997d0eac78ba03bb6b57e3982559ae98b7b9877d904fc84e9bf72898ca9d5f4e70e9ea7361078e3e764d6a1b231582a92b7b862b63a1fc117cd7b4e51c
-
Filesize
536KB
MD59ef8691532e800852481defe770c3f06
SHA181c0ba8094a9be3b706acc0d9d381d159c1fd4fd
SHA2567707ca8b641aa543df0696c298916e6b0105484f66e8485f922a2f962ca04075
SHA5127c0d4cc9100d0c3aa8d5b90fb9347e184698c56aed89123a073bf1e20a1657a2e79db7453c6eab40624afe44a2ad07b70134082f85086b0b8872b0b3d2d6c457
-
Filesize
896KB
MD531dc50bb7773755a0b527415d04064f2
SHA1ec2d24de207ce4f31bac02db633e1fa308173c58
SHA256b59deefdc1962e108c7c124acab2bd04c57436e09ddeaa67d521a5403c10d2c3
SHA512333d6e21de76a52b0e7a8e8609bc444ef02b714ba4bf66786485796a24b4fefbd9ce4251d4c5417a2df4f7fc8b46b2333536142d305c4d3a63bbdeb6c25695e7
-
Filesize
1.1MB
MD53fcddf95e9b7166866a8462b7ab3e502
SHA13fb56bd3a7bd3a546be7e72d1cb31c7923817cbf
SHA256a564ebbcfc4b309723e77e39ce633a68efec5ffbd883d9c7a2f1fe58f54f5fdc
SHA512d6f961937a72420d60563f455fcf0d3a60922a3252bc5fa5f599094c5f99aaaec3e9549ae86029d964deddf23c860fdd202079387f1ea8ae013532b4d9b1e7ac
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
248KB