Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe
-
Size
1.6MB
-
MD5
d7ac39bafca00876be0923660c93e691
-
SHA1
3c9ef605a454e34dd9a9fd62e9b6708264845bd4
-
SHA256
c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa
-
SHA512
a975964dfb6185d16cf41ad750d085bfe7073c22b0109c475e0e9df2e16cfca504e5dc1a7eff787a05d1b3f8b0175a93315d3c164629128bf492f13c4916ecba
-
SSDEEP
49152:CVxCYUkZjoWq8qAE7Gqp+LsIwq5C5SEaJ7:oA1YjV2F7pq5CdaJ7
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe"C:\Users\Admin\AppData\Local\Temp\c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iZ5KL58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iZ5KL58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ax5HT65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ax5HT65.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eU0eg95.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eU0eg95.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QT1eA51.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QT1eA51.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\GI9Ju35.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\GI9Ju35.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ee74lL7.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ee74lL7.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2eJ5051.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2eJ5051.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3DC11De.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3DC11De.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bo585QP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bo585QP.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cd3ke9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cd3ke9.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nj8Bd1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nj8Bd1.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\65DE.tmp\65DF.tmp\65E0.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x100,0x170,0x7ffcf28646f8,0x7ffcf2864708,0x7ffcf28647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,5400208522812395791,328336075517760836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,5400208522812395791,328336075517760836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcf28646f8,0x7ffcf2864708,0x7ffcf28647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,12321840776179101778,978248634196459389,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5072 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcf28646f8,0x7ffcf2864708,0x7ffcf28647185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,12381725437654537736,127324308745759166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 46321⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
11KB
MD59894e076b6be08916ac2ad68feb23b19
SHA1b27051ce012bc29950b6e049b3d9342814bbd9b6
SHA2560be1fc079c7ea34df7b7fbb28a80a7b0762c5f488fc948a885ad10aae7f922b0
SHA512e228120e4c507b6ecf39b2ef073d34adbebaaeb761cb9d9c5679bc285f0bae96329dd15197c20a311def9367f97bfbca978909f89d0ebc2fb829c764a205c1ff
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
1KB
MD5def32aaef99188b84871d2819070a89f
SHA1b22296fb44eb76d0768b06e634849984d97a6a8e
SHA2562725ca690ddcf31b68ed3f388e383cfde2d231fcc2aa8c9e9b6576e973ff10ac
SHA512de5f4d380904b6b80e0ae2545c33d7405f830200e5a415d1a1fa09028c554b16715c292ec09f8a09f486531334489c8fea9a4b3df0d98d3f5033049b7e29ad72
-
Filesize
2KB
MD56d72e491adb3309f21e8d2276bd574dc
SHA1235d36d316a2fe59df33671f123ac716c0129f92
SHA256420b44d78d0b4eade48538fe20b3eefff204a12be3a3827463c6d403e3b47d3d
SHA512f2106af625924d91215f488073a506a83f6728ee3ecc5da172060c7c30c821ea7cffc97c7df5e3488fa85eddd6465c5f4fb7dae39dd478a5514a1d306efcf39a
-
Filesize
6KB
MD5502a381d3ff45cb03458f62741bcff2b
SHA1f905c23ddef218d94bf961fba180370875f942cd
SHA2564ff1c5da5fdfa68cef274f5411da62cd2978171e91c86b434578e989d3e1cd6f
SHA5126730642bb229a8afb64931b7183e52fffba1f3eadd926683acff74fa9acc08e793712757a88e15373f86b9fae83604f1914df75a549934d0715fb94307e8e67a
-
Filesize
7KB
MD53694d325ced90881c1f645180d4ee74f
SHA1c088b01999d708a47c5f7a957cabd48b43169d49
SHA256764c73c42996005e4a8b6ee1e58691e39513bf807319209aac5c330d3f014dd6
SHA512b249ff8391975903642e9a4606c0e915c7e54f2c7c36ab9f67417750c4a49e5b52566d641d1b1cc78d1ca5336264b50eaaee0fdb6d5990d8a7ce4232bfeb030a
-
Filesize
146B
MD5f896b8e5e7b2e8feb40d1c00b26f1b3f
SHA1ec8495b192c93a106cf59a46c12383a2aa61c8bc
SHA256845033d7c867f3ce33fe616d0b640b1189f8eb900e21a89edff2ed590f4e7c16
SHA512ef1d38b70098b457e7f7caa3e3958a3c830309242b3879e4f5d305bea609fe42cfc56b7686ec43695781742bae1882aee229b3e305a429d33d4d68c632df7305
-
Filesize
89B
MD5b7429af9c94241e85f0dc214c00a6a4e
SHA1fe109f33e212c3f15431ea3d1fd4216061b70ad7
SHA256c2d357a64b61efbc4bea8116adaa9549cdaa27d779151210502729d67e8f5b49
SHA512eeb20ea243eef9f953c498a1fef196f063a10c527a9463c545cd940fc47d9f453eca7cf5f04164396c29c09051f1699142d51db747a417149a63233b22853f9c
-
Filesize
82B
MD5b6ee410c1f9cadb1ddfa12b1fb82625f
SHA126725424692e93465412a52325f10f240b8341f4
SHA256e7106b8904347a75eec90e4ab9c144c57cd40ef46327e3c58d4a7ac133b7295c
SHA512537735cec17fcf700dd11914add70937d769946b27c28cdbdaf23db3d1ac2ef5b182cc40043a506d9fabeba638ae4198bd966d4e3fd64b220052886469e1a531
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5574ef8b70579743456d914dd8c7af1ca
SHA151022000d566e4090d574a359062f6e1f6d7272e
SHA25610fe3ccd34546fd0b6ced31e926ba677b7d0058999bdda3b900fd2939ecfbc44
SHA512a3f2c51d4da4737138997a15aa2b526edb93964c3d141fbda917449cffad8ccff44be898ad97ee50e23cc80724149f3208885a7b95e512214a46fc1fc575d05f
-
Filesize
48B
MD57efe6ac100aa5ba7007b503861ed5f11
SHA1250d2ff1355dd3a301a9610464cf817e2cfe6d23
SHA25669b98f34e8c8c2deb9ad90122505bfa77391c12fd026b1ca69e0a28f58414f54
SHA512ca13082845115fd2f7fcdae01451f757eea84718c4516d3924484d80f243a18a56bc218e36ffb5daacca03bf076bc1b38fb9751a7d5468ced0d710095ecacf71
-
Filesize
1KB
MD53ff6c874a1583fbbf62782f66a536c3f
SHA15f07942cb572ebcce0887b97da074372e14224de
SHA256aaeee8a9705b96572f10395b8029596521d950306c4682043f664f450c490031
SHA512a7e668e340cd0340953db06a29e17bd6f0d31f02cb15c93cec32ec7345345da668ad3cd7ba0ed6ea4148dbbfa239f47c76c52bfa5a3fb099b26e71c55d7b96e6
-
Filesize
1KB
MD510f8e2c3f6ea13f6e5f03308d70a4a5b
SHA18dba534310279d8035a653354721dff9c6d68292
SHA256fb819040cabb22324a584382c162d20d5cbf9e1de21ecf6536a8e9d41921273f
SHA512418d5023b5379d20c85dd2f3e08ad9c3f31c17581fdfc30bf987635ebef599727fffb9d3542808b78cd15c4336fb3551683228f566270d92331071fcb32e3a35
-
Filesize
1KB
MD5dcaa6df8b2ce5032565e26d09549ed02
SHA1ef6d57c84c71d32fd5c2375cff541f3f2c724a3b
SHA256cf247411d40f7dd518f31633bed1205c429dc22ce4a64a104e2c525eae724970
SHA51271616d7998ad2d725e995ab0a28db82b24b78d6223125ca24387dcca7526c5cc23e87fe4fe133438bde466b7f36cc4438bbe1d23d7fcfa5ead5f5dbf6f65ead3
-
Filesize
1KB
MD506a388cb06e803f5dc4c03c262eb5912
SHA1d0b347c329c07f0f7f6a87b8a7c3705dca04324a
SHA256d74046c31f04b8fb306f8a42b41310e6bb2445817a6b22369f87b0fa795e9f23
SHA5129c56095e5357d001ee587d65b2249f72c369c9b4450cbd0392e015a900a64339a8015ec5af19d3dfaac3f0edd439d96c0bf77ebe169640b0914993b4f196f1ae
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD57d0d297cfaa190c8d5106be8231357ef
SHA113f44fad3276d33b2389f44a6796d47911c3a563
SHA256ffdeaf9b22020cb3d2f476ea55211db6565dff7dfb1279c5742504cd0daee14f
SHA512fd960012830fd7b22e5eb08223050dacd3ddc2724824e95e09c81e88745b927753b84e13e5277d43a49b16ccac1a7a17987a8bb240575820f735514946f3c8b1
-
Filesize
8KB
MD5f269060e56b2d476b191e9de31337054
SHA1430a28ec7673ade1fb831c958752a1e7401dc193
SHA2568052893e9e2a44b9271efd502274577984b3dfb6176947a52086e3e04d426d3b
SHA51223b2af952ad309f5d9ea16514d4f911947b9efbde5900dc02b2321fc2e029ee4fd9f00a8804607d61a21fd17ced0574488f91d66727b2711954553a9a50aeecf
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
89KB
MD54c63d8b4f91718de2669b1eb9cbc22cd
SHA19cc4cecc28662aed6504caa05f722a95eda5a424
SHA256211163b0fa2acab48cdcb0dccd6c008bf5d81b92718fc90fbf16f0693ebaec11
SHA51250437fcb42d1d5ae2985cc39fa114e84fbde5e99956c859c475b123fe041958cceaf18bca8fdaf8ac92597380a7e2da1e889b2bc5dc7a18cb9748fbaed5f97be
-
Filesize
1.4MB
MD576cd536d472bee848058b455b479e432
SHA19c742fa03a057039ed4311ec6f3a50b142458f98
SHA256ebdb3e356837ed476380ec6645eeb91fc639209c50cc81b668601bac9013a370
SHA5128feb743d70a9ebf1884f450994788a3159ccd2d3ae37c8205ed4f60f571b569203aaef0bb1bf5c7dd008fb9823ff105327c8b064a8763179b696b1ef759eabe4
-
Filesize
182KB
MD547fb2a8040b1de651ead55ae87690449
SHA190bbf82526aa1f7d87f444296003cb1b37860b8f
SHA256b09d4c825e850c2c5d6f9a900f5ad5f035e3102ac5e713dcc3ce6a3ec6661376
SHA5120c29613442c972032284d007d3ff4276ecc433d23a34d0e6cbfac71ea2f0f07dcce1a2aa8e1512bbe2c31bbfd37d3b31688c3a0c28106d2679bb6d5c1c781353
-
Filesize
1.2MB
MD547c13b767e6ca5c30e47bc6a97ac15d0
SHA14cb620ba23fc9f2bcf123814d3cd644bd3880d4b
SHA256e8a4afa2dd0d1625e8a5b9e6ce8cd78770661923cca06c7dabc9df5bb9ef882b
SHA512e220759f31c84e478b2a45cfd95a427becd755a9bbd641988576257656616fc4a84012575985ef353fc1d73c5f76ebecb69496c5ba76af95a5607f4f6e3317c1
-
Filesize
219KB
MD50d51ca6c86f1be63b52fab49f4f3d04e
SHA1860e11ebd1da88bb20ff835b4c26e1707d9a853e
SHA256da3382a454e110c3bdcab8d18825ca8e84135d4b06fead5e8035649aa0db28c4
SHA5125a9ab6e0f7510ce45de48c533c51457068e8496ff1ee3bd4f397150399a105006a6ec4cd8a7e1b58b4ec3db39f3038c0dcf5e6aae1e8be5a8e8e950d8b6a1ac1
-
Filesize
1.1MB
MD57c841f04d0db30fca527e6241f2f55f6
SHA1d013030f21af549de8e9893551d36c94e5b0ba17
SHA2561c5ecdf1fc0af89882117af3e7bafe72a1565723ef6702277938e56b4bfd6c93
SHA51221cbc717ab24e7491bcade7e49c2208c2dc6b854ff9cfa51e17a9919107f953a37b7f23f9a8deb6a9740d07d20c8db047601f3db357014326757828a7e54de2a
-
Filesize
1.1MB
MD51f531de869b40ec6f169c33476e27746
SHA1aea5afac149cefd8e6ebdd4164c4e91ab5d3fd8b
SHA25642ae85b4dc788dd33b90608aa722a53d5e6714af8b768b7047cc7bf925d10d96
SHA5120bbcfc55db6e9db12f0df5cce666076a8e680cfbe633f4882da911b586a444a31da59f2b3da8585728fe61fc9c1370f08fe82ab1254587aa7695f26400757ee2
-
Filesize
656KB
MD5f3e7de2a57075e4ddc74136c69a1de74
SHA17fef0487c75a3f4b0588b69ec984d2a7b7b441d5
SHA256732d5795b19ba2a75a1430d4a69be6a11367bd8ec633643af1cb97f6c5983c65
SHA5124bca4bf5ae5a35235c05b4bd87909e95b9d3fd9678ad9f933984a68033495eb269b85499c8270fb4e3856bb943752c9e7c65753f057e361e3dea48d591c98cb9
-
Filesize
30KB
MD5a150cb7612547ffa842cfa3cb818815d
SHA1ca27d884715f5085fdbedf7b6b2e8c9b2570234a
SHA2564538e03c71f2ce91bb716d756cceb3a281279dbb788ec79983061f57a3bc3108
SHA512883aa4ad973e5078834d4b417d547f871521dbd7bef29d1bea2d5eb53a02676087b7738e67d8617c634b43c3c4e423dd202c589a39781210da69fccb490316f5
-
Filesize
532KB
MD5abc5894b2b927c28707bf4e1a53b3380
SHA17481ae78cc53022cc196ca1633777d33934a5816
SHA256b3f8df1c32b147d3cbb51aad55974ff54467eceda45adf03cf1083702ec6fd87
SHA5122f8e77ac03670ee3a7a09e13b6f0dda9523e24d4ab643a324694e69ff115fad6d03905ca71182e248f396bdd411cfa45dccdfeed85da76829ef123079cad37a1
-
Filesize
891KB
MD51299e1843120126ed0b7f61f3c7d3281
SHA146f29ca7b1d6273a8ec8eb591106db30b0c4803a
SHA2560c9423ff86ef39dbf0115e766256c97d5386d5d86ffda0faa599dc12a47b9b10
SHA512e3b1050d11978148cc5f677eb8b04f1d0eea3fb0ee4a2c59fb0b88d9389b7ba12f2ac10becf25b5287bc4ad2572bced0ba4f19acf032f3fa493d2476102bdf79
-
Filesize
1.1MB
MD58ee06103508841d589beebb3170fe1f1
SHA15779caa74ca1824fa1faf171a24a4905c2b8c43e
SHA2568b8ef90fc3e3331f756cd68a285540d0e21e10617998e2bf0d513635dd71cc9b
SHA512fa95f22ae95a1b7b679db8e960a00e3e8bff03f0ed3de6acb862ce85f43ddb8f2bcac9e6148944761664f69fe12a8515cd0a2fa2f08be7d7ec0c91672b5add40
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
240KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB