Analysis
-
max time kernel
174s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
a3856df71eb61ea894a02826e7ea581b042c79602ab859be3aad16f0a039ffbc.exe
-
Size
1.6MB
-
MD5
dc32132299c4239e0d54d9f1731dff15
-
SHA1
7db45bd474049fc304172c57782cf5b2f3db8862
-
SHA256
a3856df71eb61ea894a02826e7ea581b042c79602ab859be3aad16f0a039ffbc
-
SHA512
6e8667cc95db7da46df710483d326d9035d83fa9e004b46fc598d4ea09f25063945fc53a4e05e08bd3e8c902069ff0aca866e1c699bab9bfcc4c3ac16442faca
-
SSDEEP
49152:JTl2GRpauWfLwGUoOosLdc6Un/eDAzQJJpHjRYVhN:58GoOGUosyRlzQJbjRYV
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3856df71eb61ea894a02826e7ea581b042c79602ab859be3aad16f0a039ffbc.exe"C:\Users\Admin\AppData\Local\Temp\a3856df71eb61ea894a02826e7ea581b042c79602ab859be3aad16f0a039ffbc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gF6xy57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gF6xy57.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AJ4xs62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AJ4xs62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oi4rU85.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oi4rU85.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oh4qW83.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oh4qW83.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xb8MJ19.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xb8MJ19.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OJ03gS8.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1OJ03gS8.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ed8722.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ed8722.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Bu08Fu.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Bu08Fu.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Vt725UV.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Vt725UV.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tc2Yj1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tc2Yj1.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nf6cm3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nf6cm3.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lb0sz50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lb0sz50.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE7.tmp\CF7.tmp\CF8.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7lb0sz50.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe7f4b46f8,0x7ffe7f4b4708,0x7ffe7f4b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,15582833196178031558,6413124286197009898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe7f4b46f8,0x7ffe7f4b4708,0x7ffe7f4b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,9985479171488236731,1810230396772105342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,9985479171488236731,1810230396772105342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe7f4b46f8,0x7ffe7f4b4708,0x7ffe7f4b47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10688984989100662090,7635378326410263171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10688984989100662090,7635378326410263171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 648 -ip 6481⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d01a44178a9b32928b55a58fcbfcca1a
SHA1c441cda24f29cca177b8693d8984801ff7b540c8
SHA25654737d646ffbbc20606e969b85668c53b0e69af47426844e4348c90b4f2125dd
SHA512c1d5e3e8a6ebc1240b26f6269570f2967e5f0897125489c21cf7379b7621a9ddc37fc794a1340c9916156dd5c74d5683445f017a6c60fd8f8311d77ba8ef0834
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
6KB
MD57aac5bc5851213e948eb67e880c73568
SHA1da0e34c9c855a29ef9f1de79e6dc9212e3f71dcc
SHA256646c84acaf4a5c26a019f0b5fe50ae07be93371c1f729194084d3a21313e75fa
SHA512e93b33c1b22ac75213997c573746d5bee884e25530b9f9d601cd0236ba9e1f16adfeed1fb8fc5908b9377d947269a78dce53ddd491167c61d9c48e540a64a040
-
Filesize
7KB
MD558e2d4b918407df1819cca9833c3a441
SHA1d9ff141a06b9792ecc22df6c157afbf1325be63d
SHA2567e9c58947036894a90a7922871362f9d325d39207001220032733521c230b1b1
SHA512d7a79eda751807982950479a1bd8462f01ee2ba01de51fc114ee3a63a808df8a21595d066e3009d44491054ce0db3785bb081dee35e5c682d0eb602172439d56
-
Filesize
6KB
MD5ade14a88a4a120239e840125a015d6ac
SHA16f68d3ade2a67f08f044032e23a3bbf2c2ecf9cb
SHA25630985d89d1e2afc6120c184908eb31cc84ced12ebd578800b4d0566eb273536b
SHA5128bb16d16bc2dc832fa26711af81ffbdf6b500d8054ba1af4de26e4a0305a64c88ae54f8e574b4cd6b729de4f2c7da5931bf8e34f8cfd6e04e060612d74e9321b
-
Filesize
7KB
MD5b26f843df34c8ce0443cc7154b024435
SHA1819b6fcaa4209a452f3182e2d61040ebf815bd6f
SHA256c92445cb273239c184fd8fc30cfe8e9d0417dba37567cadd6f8e81c1b9016ea1
SHA512e57c2cfabe66b4eb4584720ae6346a7541214a4df8f1fefa63180fd40a54b27ded133b3eb36e41509eaaf87222134729ba222eddb083e347cab2c9d6c1503732
-
Filesize
538B
MD55cba32a2cda277465115680f87bcea31
SHA1457b90e374f7f671412c13a5a48b9b344ddf3da0
SHA2565292e07f18049780f7c7421728f3d1c86643cfccc59d0c034c5b10440f111aa6
SHA5124983fa8714824efbee3cbd6026206135e5f397a9d619e31f0a9b57fa33963edf6e848f527be6a44dfb6757ed6f1b595aaf1237ddf1c5559325613d2c93dc33f8
-
Filesize
371B
MD5ba3f0fa86235866ffbfa78b71454bab9
SHA1fc996509f95c3eef51278262d6c5759fc4dfad53
SHA2566a4c0b7639ebe4559d18868fec8e8c111cb058e3ebc6d6dcb4d7c07cf4495a20
SHA512beb916e4771d6e563a5b83458820e01322d6392f869d929acdf6203b890db962cb9770707a1212603119b423a98442b62748f98033a5c5bef8d5ee318759f3b4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5b0bb0c864995a31947a2d1866a14736c
SHA197934e0b09281e52d77db94f8220d7330379191e
SHA256b6abac6183d0c1a0eb82d8f7ce6eae527951d7a22085533696d9639914b6b294
SHA512ab8113af6c6453d3cc7ce8848b92df41d58b0157a6c305fd45a60535af7b1d464624d1401c9321e0ff9f2ef1da0caecdc9fb60ce5e62f26dad8eb84518945170
-
Filesize
11KB
MD5b766ff1885c1b0756e843d5e413c6e9e
SHA1b3df8f0064f3cbe0348685e6b5a450c3c7c1f012
SHA2569781f80c366971032370ef10e4223323a59489bd3eeacd1c1092c92ad4953963
SHA51231418201e899b48b6c8180d473bbefeffee2a9b875cda84cd4939fb3de004f5e76b5673fa443ed1b552731ce047b35031bd9449e2ef13f68f10512b7f4de1c7a
-
Filesize
8KB
MD5025277339a62787df2d54732eed5b7f3
SHA1e3dfee3e7d23fd7116d524777112561d2fd57b38
SHA256bc7da8e1bcc1085230813df55dbbf8db97615e2ea8a925de491d279515b91e6d
SHA512848c7b040a7dd6ffc29bbc99ef6131e6cbde4e94c696bc95c41b762f81fb7626f019572732fe9ac7709ccec28dd8b9417d56d268fc0bcf038d71c0b18db37d9b
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5c90063386390671a7103b1ddd11d8923
SHA11a7d4f81d424067a3f565a15477471a893da84ff
SHA256676c0e79d68e176e9240bd8046a56092061afaf2789cbbd25073801a785d07b4
SHA51290b28665fff4dfa3cfc2a3bac7b50131e048d0fd3241ad51f7800644299560b4f306c09356538abd7c4ed2f7d834079114d44f1ae8117257e5a4b0dc9c7028ab
-
Filesize
1.4MB
MD5930beadc75ed80065324e8f8063cf8ad
SHA12ecf437dae87a2b9645d6562c0488e8ddd8f485a
SHA256923ea2cc7717ff5dc23dc9f990437179ccd27b0e3952aa697ef5a195510b1234
SHA5129cba6a2272659d0a159ca8fe3b450ab8353ba809a9fd5ec7ce7acaf176baf36b998836301fd35f93b750bcc3eb646287fc52f9cdcdb39a3e4eeb800975f48a03
-
Filesize
182KB
MD59cd33125db575ea280638ccec324fff6
SHA1fe3317cb91a1887773bacb73b61859ea9a47f7d7
SHA2566bc93c5af6b77075afa4d7e42e9fb6e35ecc908e377c2cb673b21f7fdfb590ae
SHA512244b113d7424ca1e1cc6df98ada25a5b63a201624db8fbd9e769468c1c8eedd36bac6a85e59231dacbc357ec355209d3d4b8f52b540994f4693592022f8ca143
-
Filesize
1.2MB
MD57989bbf8a008e02a46f34fb509dd4acd
SHA1f7dbcee7367b26511239a7c9a953888cfb3f4592
SHA256221d9a242bdf3f06596d2cb045290031d78732be19bd38d60ac2dd690cb0da7d
SHA512623de21092e345bc359990804cb3710a5acc308ffbba8d79001a9e4b6235b936ba4859dce505f054de156cf5354f03f475504437d05129d004b45dd56ff9d0d7
-
Filesize
219KB
MD5032e3baefbf45911d51a0588cc2bd2cc
SHA1c40fc42097696a0f8f36fac6093f6c86ea48deba
SHA2560807d61ede8efc08999f15943a89c1d32e6ac61ed9c37e6e9aaf408ae0d0c715
SHA51278e3a551cf0e334f23fb72844b4662edcf97928db77cc08bfb50e2e2dc7605d786dc7163e5003ffbbe3eb6ac5a23da5007ed4ed21bdfbe72db42448747cce0f4
-
Filesize
1.0MB
MD5816133baa4571b2cbbc3e19736c15144
SHA1dc088002f3825bfc888d3d6c7e0584b02564ffbd
SHA2566e4f256e86c0f1067621a8c6087b5809e76519e0da77e4c22dc93c101f013c7a
SHA512ddc0160f2eb11567a7d5fdfda523532a75c85cd55831613364212d7441273486c2629c37827e85ea3590c47b52e386ac5dff112e4c19b719a9b4f8085a500c42
-
Filesize
1.1MB
MD5d05f75bbd1acc780a6052b7e06aa00cb
SHA1ad67dcb35d31ab4b7b84a39af2650011e0d2108a
SHA25671ee44f9d803d429e8dc1ba5f9b1e81080128f18bd3fed914f313984be13ed58
SHA512b412c802af1632585522639f535a19b919bb5595d8575a5b807ac0735d2cabbdf6e6894f2b74226839ce6f641343ea94ac176b38de7108d93875c5aa8b1a125f
-
Filesize
661KB
MD57e07d1fbcfbfd08b7e333f9fc4557679
SHA17173b1fb238f9c13d3a62b6ba89b69f471894ba5
SHA256cf3ee7c1d5728b2505309271ac1a990a528acbac4f1160084c72ca07b8d834ad
SHA5120fdecb3f875fdb3265bd72b7c04b651ede88cc356c29ba2298b3bf52885f6dfec643223cba8118bddef99cedbe5f6444296876935c545e9f2c1750d88717d2cb
-
Filesize
30KB
MD5db0fd527bee067107516283d41c79ad2
SHA180e40d0814127c38a7e429024d91cc07ae9197ac
SHA256cc13ddac59cc37c169830ab9ed238ecd0cd8ee6f7aa9d0f87e045f6a116b1bc2
SHA5124324e2a890b64bf78856cdb87f12128c689e5234564060189e0a3e678b450a05f460adf7b0e54dc52619548320a3c2a93734daf3ecf80541e7dc6b6f50093852
-
Filesize
537KB
MD591b2b4d9a8750f0339de4d9858edafcb
SHA14443a0aa88112eee79e6205296b9606d94d0c8bd
SHA2569086cf986d6aac3fb07f915f53641662202079043fe8dd57c62a5f55ff3aa0e0
SHA51235833b1ce1f2404591fea43101cc686aa68594d49519e4aa9f2042793d825e92e807db756826a355e6cfda374bf0183c9d4a8642ac1c84187d3c56cd8eb8f3ff
-
Filesize
896KB
MD531dc50bb7773755a0b527415d04064f2
SHA1ec2d24de207ce4f31bac02db633e1fa308173c58
SHA256b59deefdc1962e108c7c124acab2bd04c57436e09ddeaa67d521a5403c10d2c3
SHA512333d6e21de76a52b0e7a8e8609bc444ef02b714ba4bf66786485796a24b4fefbd9ce4251d4c5417a2df4f7fc8b46b2333536142d305c4d3a63bbdeb6c25695e7
-
Filesize
1.1MB
MD5c06700c439a72b10b23e026bfca47cd3
SHA14ca0c5bfbd727eedda54e8fff8f72ed2d3d9e7c8
SHA2564b5ab8a084f940289fd6175a706c21bd3374ad62b097a106c9b96b103ae6a131
SHA512a14e9c4f0c21f37e1f7f008b3d467fca1c05852ca6b7fbf7db6f2f4e2e71c9da541a5e0f97fc2ca6b76fd9f177ca81a0ac6317006927528c3334abeb244fb15b
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
7.7MB