Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
ac83f97e0feaa00009066010fbc425e869f7f16d7a35d5d58bec33e430700ca7.exe
-
Size
1.5MB
-
MD5
36417626969d5c95bc9bed46e3164704
-
SHA1
32a56595d5b4fa2a621b7bd61e48a757b1d77593
-
SHA256
ac83f97e0feaa00009066010fbc425e869f7f16d7a35d5d58bec33e430700ca7
-
SHA512
da35185947b9fa105b986ac317eae193e3e3a8d22246a9d606645e5fb5cf3572bc8a864269bfa584cdb0f51aa7e56a41ee409e2317f955111901d09ff7dbdb75
-
SSDEEP
24576:ryRTOb0DpYBPXQwT6X6hQLEeuBcymVEZO9MZVshNUNKmhpIaTYU2gS:eRlpYBP+X/LEDiym4XsQXhCRb
Malware Config
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
supera
77.91.124.82:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac83f97e0feaa00009066010fbc425e869f7f16d7a35d5d58bec33e430700ca7.exe"C:\Users\Admin\AppData\Local\Temp\ac83f97e0feaa00009066010fbc425e869f7f16d7a35d5d58bec33e430700ca7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dd4lm12.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dd4lm12.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DN1wR98.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DN1wR98.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ8KI22.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XZ8KI22.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OK8oV32.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OK8oV32.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LI96Cu3.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LI96Cu3.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZQ3937.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZQ3937.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3kj59GC.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3kj59GC.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4tP835Tr.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4tP835Tr.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vz5Bi7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vz5Bi7.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Up2RG2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Up2RG2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\56F9.tmp\56FA.tmp\56FB.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Up2RG2.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc826f46f8,0x7ffc826f4708,0x7ffc826f47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1413732976076724729,11574232205539157696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1413732976076724729,11574232205539157696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc826f46f8,0x7ffc826f4708,0x7ffc826f47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=164 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13912441780191852195,913900089644641285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc826f46f8,0x7ffc826f4708,0x7ffc826f47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2444480753830815098,17781237016087931368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
1KB
MD5f2589d3ce94cdde225f183b7e804d9f6
SHA13453ae3c35941572387bd110e88d35ad32f1718a
SHA25654246cd29415010d2bdcc91fda5425e818757ff32d0fdcd087a5bdeb947d325f
SHA512aa1f7fdc40fe2ebeb19f4ef30020eb4a29959a054a8ab96cc6e33b4b68d275280d4117bbbb023daa0ed3cfddb5d26d5640090b6a72f56617dde49e121fa910c0
-
Filesize
2KB
MD52a0d57ed8a9c466b157113b3f9cb95d1
SHA14352acf3584b1fb9b1e580887dece1a7a58fc0e0
SHA25689f3f77455d52bd19250b3193771763e786c01001bcfe230b3cf8882c3fdbfac
SHA512721e763b1a2d8a8a3094778da9206ab25528c3ce830234db67085f4ead4249264c148a0dbb05ef8c41652ecdc1df68db007478e0a8f0e08e39bffd2806c1cce3
-
Filesize
2KB
MD59df50cb47a85c4a24361bef34bec628e
SHA1cf5fffca8baa7c8c8bbb827c5eca53fd9f86963b
SHA2563580cd3cf6274f31815bc23c57e9b6154823c2570b9db8745be96f62e539cf7d
SHA5128f0581cb3034dac1f525a99da3a9613552316cffc307c87dee46b2381d84f08365203c8bc83f1cd960b27f0f6a5dee2ac81d0189213cec38064784b0f0632a90
-
Filesize
6KB
MD5dcf3bca06eb3c28e922cbc626a7f3a31
SHA124d26e24d6467c075200de8a0d20fe489cc0768e
SHA25673e4fe53fcad37da3236353e2059018b30cb2c72e4f4ab20800dbf9d987db4fb
SHA5122445a44b5bd008851bc35f9f689515368a3d13b781fa296e67e4331ebb268779ad51da55f502e65522555c4e1c9c7b38c8f7242bea97bf37bb621533014e2037
-
Filesize
7KB
MD55e0241946861638f209ba051029fc875
SHA1b221716d184fc0b74c57a3e7488fdfb4dd0b4145
SHA256346525f996e4f96374602c1091a2bdb1c6ff599d9ce46589608408b084605145
SHA512288c27d5fa35d2cb7167fc8f0dae6bf053e5861e81b20f2d837c734b5a621ff9955281e8bb85054fcddc07c7391999bd3bc6341f7f893f6b955181aca9a57b69
-
Filesize
89B
MD5f22556d652ec825b56a913e00dcc4e6c
SHA11f61e40b41cca187028fb528d251e5f678b96456
SHA25605063c98cd07738cd8c07a0a8e776f0a320fdb95077d2e660ea9c8435035ce09
SHA512113b867db076f76089d040d3caa6aee5cd655457bffc0d309a38577d7598133152bc724e89ed381090ca08f3ff79f42cd531530c311d2eec113db903838d0b81
-
Filesize
82B
MD5f26feb3fec346121099e9ed9d7062337
SHA1276d4b11b2d3722ebb7e11e417469b03ecc7894e
SHA256e8c33af2b2ca1287eae071d215a0050f2efad8c97dc5534c9d4b32c06fc2b06e
SHA51265b10b0215ad7b26a953db63cfc5dd0f618776dd7398e91cd65be83c7ca8d58edec1f2747471d1c9480385ecc9ff5825bf08cfeb239b62da43f16e057833c796
-
Filesize
146B
MD5275f5f35f9711dfcfd9a065b8932a608
SHA101e5a5bbe3cd908fde24671a7ee076c432da2f38
SHA256d9700edbe52b78617eb0ff92a067ba190c0986a5b6bfd31a443b8fa4daa42bdd
SHA5122b057866752ead9b34ea79fae3cf85f677b02692a2f1209989903e612b29cad8a3edca3aba4839c0390a34969b9794d3fb3f2feaf6b269d2a4819afe4c59d81b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD534b37fb234e767371a96834580024b8c
SHA10544e097e1df9ae31b284abf90646f7cffb7d57f
SHA256e91a3a217c187ebce305304f9e637206a23a3dae9a25c5e99ca7544b1b0be59e
SHA512dc4b39850c229b244dae9b1b34162a79ddec93e60aba5bcbbe6bd7c985ba7ef145059f19a1b2b43a4ab43497945b79bd6cc53da6f7dea7ba507d77601e3523c7
-
Filesize
48B
MD539456eb3c83ac1e088af6eac0426b5b4
SHA1dff415ec83118097c52e2986d6ebd4fab919fd2a
SHA2563afcdb28e8beefdcb837b2f9050731f2e0c23d17ebb69625a49456b3f0e2042a
SHA512e44f0e4249065969df948dc904ce8ab9e7171431e88a60327774f93d0d4e7c3b346be04682b4306147d49f4b288fed1319d0a9bc9076335781d5ac33ad50210a
-
Filesize
1KB
MD5767d41d65e0bc4909dbf26312c600531
SHA119d2b5f472b0a0ed7dde41dff6177ca8fab265c1
SHA256bbec9cdfc0dbe5fc3171bc7e6f3431c1d5c92e7130a4c05e9d7b31c85fa95efd
SHA512d30dd13138787690df1d6b07818b4537655a08e6fa16d342ea089a88a1dd43baf7a4aa18067bbb40cdd2e766e61038d87f94eb1df346d768faf0e789f6c69cdb
-
Filesize
1KB
MD5c8e41e817815979f4f6437c219c3276d
SHA15b8815959663d2ebb8712bc58a2a333b23fbd316
SHA256f6ccb6384caa9a06361393aa95f43baf5a06d3a23a829cd7b348513b5a4ce810
SHA512a19136884a1d5a7f0601f272f5df6915a704e39ca12308d758aa2cbd398638198b1dc8b3768e91fddd9b002b657d57045e223d0f4fada9b5f45a77f0279fbc3a
-
Filesize
1KB
MD5dc99dab022740260d1df2646f1dd5e37
SHA17bda02e1e1df8c81ff32f73f70c2b77290f08785
SHA256ab65d03e531e5f9878967228d53fbe5454a17be3d4c1775e043c9a4d33d6ca10
SHA5120949e92cf93ace3ac8fd9b09ec17b6cc141e8eabcf13138073a2ac29c6257f666357442ed64a1b5ac7d158c43331f715e53d94f32b67233f06217a2b3fbceee8
-
Filesize
1KB
MD573c0a9f1b7b68b2be3ce7461b4743692
SHA1bc2d1fef1b4e997522ae065bfd0eb784e265f204
SHA256dff0af094d06edd4f7916d579afc13aac2414f3f3f7cfc9af87932c10f89579a
SHA5125e4216de51a4d2ca5d61d03f1302f386d5567d91736ded16a91c9625bdc3c6313f1ab48d3488ae263300863f4612fd4a37a01772d7b7d5c1ddd3131f02eb4315
-
Filesize
1KB
MD520d1abf425eb999d343862dd275d454e
SHA1a4b3e83febf5ebf49eae3d63d4e1ba55a1e66e2d
SHA25605db9e7a6233affe9d514072426650d2c54a9000fad57906782cc7adc4fed884
SHA512ab5579c98d6551d39acde32f1886430f7ba4c8110fa5ee6a8fd9c90540ecbaa6b8d6a2984edfa979fe17380d94677e33855b8f7b26ba58c8db0ecbdf4fce61ec
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD51dd9384463455c13f7db43c783724918
SHA151d13de65dbe55c0affffc6e0ad5dc157c10bfe3
SHA2568bbb398ce82746ee919775d6a3bf850bccc2bd5ab385d7d708f0a06d8987f816
SHA512875562aa0527d564753243771fd6bf88a234a324b233a2e7ef957a1dd943da02492accc723a9f26c95c022c2bf17c9db5e25e03eebbda36462eeb4eb90841177
-
Filesize
8KB
MD56d18a5746a201f1ea4a841ad3b13dc6e
SHA197db348b2b7b2f4e2bab04a523f42dfc1cf35856
SHA2562d752579bda0c3cb5b3bfa473a6a297659afa5756bcd5970a37b596e83900de8
SHA5121c67bf35dfcef77cd961421b446d8d1f0af9362ae7fc370d014a9b68a6ec71bf618ccc0bd6ce349eb51d5794f6b46e63cbc7ad87718b0a76cbedb5680480b397
-
Filesize
11KB
MD5c883cdcc28823c896285a4a432b5f1ee
SHA13ced2b56c017a4903fc254ba86f7831d01f0ecd3
SHA2563d1f32c7d5a9d7a38a06127e1ef284a673fcc3e2906cf7e6b9a0e0c1bfa7894f
SHA5124b75cfe6472f9f743f559db446168369902894dff5c548317c66e5d851ecaa24f7e0367451dcec539d3f346f6ff118895a86e2bf3757ebbf177bf9392931d8d7
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD525a2eef0cd3a4c73b423dc11d24b4558
SHA10ad001a80f3269ad00653a70268bf199cab555ac
SHA2568124a9c22ec4797b8b0efd2b7a578325ae301d066fd463c5c9590db129c2cb5c
SHA512dbf7c72e3b3830566aee10286d7c81e9d8f918cca43cb72d4520185ead0ecd3eb0bd76e0b5ee8aaac62427f5432b2490d950dd168feb00d7e2a32725153325ee
-
Filesize
1.4MB
MD520a1c437920e47abb1fbe6265b7b9973
SHA1159454b72c210687ecc6778a6c244513c1c8b5e7
SHA256f7cc2802237eb0a78e87aefa4f14ded9b5c06ca8c4857eb2093c2854deb73e7d
SHA512e9638fac3823678a2ff87d268981cf0c02bd7d444bf068c7879e4bebd01d14dd7d821a0579ccac0776666cda90ec179e2dfa62dd1b825e8918e6b59807a95fb2
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.2MB
MD5533d6e9a4d21d3847956d709c211d9c8
SHA10ee27d847d3c267162c20e566b527ca8a0842e67
SHA25623513c986c9fc9d8349128b7ddf6b565aff5b3882f097ed4bcf35779c571b5b6
SHA512395a862e863d75cd37193ff9c2c060880bd9bf6482bb599cadb75420ce3b32a8c997b6ad61dff076c8b1b8c8dc0ad518933bf1c50943a1b24c34883c18248ba2
-
Filesize
1.1MB
MD5eb1336a4b98a525d06f9c6ec0ec39742
SHA15209adf1c194fd9cc068c385082d30d12218f24b
SHA2560169bab21711918e95ef91a6910c1caeef1559635f7f4d2c1bf79974d47cc547
SHA51276f77bf8d9bea1731429d97e18b3dbafff9190176fb7edd11be41b8ef79f4e809944e49574e329759ff567ed056b1b5e553b2f9c90ae934880fddc20bcf4c7af
-
Filesize
831KB
MD585e4a0f5a6136ee4873a53af1f693ed0
SHA1c8295b1ef666acdb88a5e320b5a1d70eeb17d96b
SHA256a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d
SHA512cccfff50a1c9736573e80e7d66991930ffd0a607441e2bba89a61a7e5860d31494475387068895ed0f42d05251ece93f599f78ef325c62db1c04170099243c7c
-
Filesize
916KB
MD57bd7a6ca99c240a8f965694db9779220
SHA1a4b22dd580b07c487c96e5889c272c8ce966f6d8
SHA2562cba59d0e93c789487237caefe4701ddafed3f03a507276006965f63a5b17763
SHA51237fbe01fe87017e69200bb9bb521ee6d0bf7fb410dbb6015a914e392170b16afbb17121e0f3bc38fabc3b6f4e337cde802def340124c1f9b1c1c72f59440f714
-
Filesize
464KB
MD500d2e192feaff9eaca0ec3c12f0a54f9
SHA19a6af5c7fa6a09c1510247fe4091d3c418f4d0fb
SHA25696ce06b368c27ec0be775933dad4b108745aeec3e6af2dc16cdb891999f3066e
SHA512694996933f02137531d01c9b16c7fb0240250f42ea06c9e7a61210b54afbd7aa02a865007825a6414bc029259b3c8ec1d7a2f9a33b529024c7216aa954ff3493
-
Filesize
894KB
MD5482c2daaa7250f2f2349259f7b6b09c3
SHA11313bc91e68a021c138ecf958db84c1d5b844895
SHA25644caf6ae6a43d1d4c73ba84983921d506f45dc226a311a5e307e94132322e446
SHA512676663ccddf48938b1b99632359978ef8847e7ed186c60c5b12b0f04040452fa9ece35b9f252768b49fce37e920d078c594bd1ea14f8d3ea0e10191959644076
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB