Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02/04/2024, 10:10
General
-
Target
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
-
Size
1.5MB
-
MD5
3b58f52654cf24ceac5a682fedf56ea6
-
SHA1
4e012ff7eed34f394136e4490f7bc281613f84fd
-
SHA256
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
-
SHA512
bbcf48c981fdc8b9019a8388ebc7179474ee9896003431f04f1d978078837a06c22335458a0fd782683afbfff4a06dffa17f09e71513fdaf34e0872597461f22
-
SSDEEP
49152:CdCs0UvZJ3HkXkf+/1ZvY1qaKidaHjskUWQP7RQ:Vs0UvZJtf6qdaH5SP7
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 5848⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 5409⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 5808⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 5846⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\780E.tmp\780F.tmp\7810.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa542346f8,0x7ffa54234708,0x7ffa542347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,11351912776222806229,1584009821906067041,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5596 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa542346f8,0x7ffa54234708,0x7ffa542347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8245504323220566193,9878506192592986585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,8245504323220566193,9878506192592986585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa542346f8,0x7ffa54234708,0x7ffa542347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,18348935154048012039,14920938691090565778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 50841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1460 -ip 14601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4732 -ip 47321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3608 -ip 36081⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
1KB
MD5455e2512c999ee1db8d5710040eb5997
SHA11517f4d7166fac29a746a949a01f016d43bbb482
SHA256628f6743ee7d77de810b07521b1bb91a06b02db08f86933285be4bbb1c3bd4ef
SHA512bc21a8bf2205b47818c7e0c6d6fcebabe071b0cbe55379404b240346e4f7a3f340d5b1e22b4910866a3415c09cc13ac799e1db47358d8cff2c8299c842058e98
-
Filesize
2KB
MD525778b5c3f2753b7368cc5ef592145a3
SHA1d442cc1ee347f3f0078df866ea547e1f8fcca523
SHA2562286023bd6dd325d6efe08cde287e7fd75b2a5b2ee302319d433f37a5cbc7992
SHA512e74a95e6efc53ac8d8aa9d320beba015a398486b49f525f49c7d4b450f2d124a7dd242a953e9089bf37c6b61b4ddecdf2ea76a454175ae190532c358907dc1b7
-
Filesize
6KB
MD55d566a34f200dc14e7e068bd0eb74687
SHA1f938fa79079d568cfde0fef2dafc31bc6ae57b73
SHA2569702b0b9280b41a57b2f7b3a5096e2d278de3be0aadb591722c12451eea26f9e
SHA5129da543e03ec0f144601d41e7afbade1effb8c6acb109e9e109547d61e644c055513ad29d1ee4fd6c63d7471bd1d816149b98f990e6567afc0be3183f8da51e17
-
Filesize
7KB
MD5855499f33b2294c5795252f2727fe60a
SHA12481b1c496d430cefb4710d164fbf010fedec105
SHA2565093231054285d05df8b3d4eb64c0350b28f5dd5ddb283635ef8de5beda4a48f
SHA512c52d39ddf750c6002ad7e507d53f3794e9f2614cb61c854d18d80ebc5d1f13c0dfdb9fbafc56f2b84ba81569a0716925e9524a20d93eaeb8da718227fbdd8ff6
-
Filesize
7KB
MD5bfe422077ae0ded1ce978f0b87e5e18e
SHA1f8033ceae8695ebf45e578c8020e085141e16162
SHA256ac099264dcb9dc4f8a21a071420408c15c536d0a15b2f9360ff88da1036c1b15
SHA51229d14b6bcb448066fd238f1da2ca91cc7a46ebf7d278fdcfdee5fec925b0f76f15f84e2e9f94918cd079838dca5998727ef0da4ccb1bbd3d553c73ae402a6606
-
Filesize
89B
MD54b324bb28f578635100e625452e58c12
SHA1a43247556b18cf4a7ad13017a26d1a4b59d274ec
SHA25646e22141ecc05889b43e18650136af89feabab4bfc514114f7f0528e359a0112
SHA512183472d4d2ffe4c8f522cf23c826a8cf8647e70acff0055b63b428a564134d06263fc7ba260a850f25d0b054e3f801495062fdec35cbe54455cb39b1058b14f0
-
Filesize
82B
MD533c07839eb5d05bcc902c10fdeacd47b
SHA1adf72d70f65f7250b3052d23a62bfcc0a0fd680a
SHA2562eb863410b390d0b8b523b634178dae51ded6ece12d5a4180b760c6a9b357d79
SHA51235e72fb130649172c91cfbe4a54e539b1096da3a321e8e5987f8fa20cdcd913df2587b503afbb516e48af276fc8065679e2c2ba574db51be2d0ae53ce0b560fb
-
Filesize
146B
MD5e5cda9071cf31bb947e1ad9571c9f146
SHA1eb771f5391e775ee5fb18fdd37a0ae8ad4c212da
SHA256ca3be7cf9862b614661fd7c5ed0e0329e489af089a5081086e02403d7f22e956
SHA512bac83289482079f96193afba808c02f5c04faa623c956a3658f97c92253c252f19aeb3f7400f1df06ee36f002e87254384fa143ec1b087508f8d4a389d729287
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD59b4b34f4a4787845fe7bdb91ed48cd68
SHA1cd8fb804f8a21e81243a6709e3f4c35d8953fc1f
SHA2568e8cdfebffabb627255708f16138cb07431e0b4519cf70e137c1034222a126d4
SHA5124e126ef2dc8fb8bd0e522152be4081f9a7bf9aa1efa6b940c6b3b3e7cec391f5041989c31f2c37bd75c2cb13476480d1e97bb95201e8298bea00f3cd4c59f1f4
-
Filesize
48B
MD5f26bc8a9a255c29198ec719b9f74396b
SHA19049c115e52655ba686110fcfdd9f64e63f9b20f
SHA2564e5d08c564b78f14cfae3dd70143d0a3140873df864bee7a64c4562fdb381e18
SHA512fa8270dca68fb61e036c650ed3c2278940fad28a655f741e8a31086b02ff11f273b97bfe7277e530e8aabde34d4d60a1df821e944d10e55359903b48323cb642
-
Filesize
1KB
MD5d009bcb93aeb7dd7eb79e0097caf6636
SHA1bf6c0ba5aa1774dca59d6a3a6fd0840e081e684c
SHA256f05146ae2adc7cc4fc25a68497811584e9d357ce438df67a007dd933417a4427
SHA512d58eb4be18e452421fb66ba7f0af445d38951a7c9458b564ec6a915be7905628188bdd41da1c6026df7a5158a68157a896a4540c0f5fb9075ac2e5e6d9d0acc6
-
Filesize
1KB
MD579b9129bdfef9c71e96e7ce91a5c0c9c
SHA1438468c6faea580ef1833169347f9b0e2e65400d
SHA2568b7c0f3fff65c25035d87e46a201a78a015c903b46592c5b99dddb37d9911dc0
SHA512255c5607bba69a3f9242b2a07127b8f64bf4681e131e9d0c9b8400b97910692fb0bdffe6416abe6a9aca2d933a74d2a3d14dcbccd8171ef235131da290c3001e
-
Filesize
1KB
MD5cc8ac4993e1d5fcc45a0f4c86cc578b0
SHA16c7eeaaf1a984fd30c4b6a205259a7659432120f
SHA256e1a681a7df7abaa364e953fdd548b62f49a8be7bdddc10bf17ab9a11cf994ed2
SHA5129b50da61bbfc174f9863a7032e557ed98eda7cd114f3fa566c97c16fa74f2e645e727dce8dc7d9cdf9ea375cec587387e02a72da5a0f316186ae78bd02f47ee5
-
Filesize
1KB
MD51d5a9e28e6c57dab19cb78c716eccd77
SHA1e05a5239053a652aa99b6fccce66da4eb9f1f6c3
SHA2566c80ce5eddb4a18668c215584c83c7a97533494a99069d525de359a088ef8b43
SHA512379d1a235ed0acc9cd08e3c442ec3a2c59ead26d441c5133abe6c0ce11c94055bdf9580d411d711f2e91bc28e04c13a1562929d5bac995665830573d1c78d508
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5ede7df3393f4bde414407f053decfb86
SHA1798ac1117735f63c626063116490b8bf3f8de7d4
SHA256f62250610b1d13b8d7529ee1cae775f2dbe64dfe800a79423c18806b87040661
SHA51201544ab4b66588c80f618ef51c2b100543e981c44926e2bb498efd1e48e43b50e78ba9e138cca20ae0906d72862b7949cf2c40176e5c16475fc02be820083b85
-
Filesize
11KB
MD5099614c644b58b6dc00318b6d5e4be56
SHA1bfcb7ea5684f4ee0d0575c3f25698550ce8b6815
SHA256ef6ebdb43c0fe11230ad5e9d532b4b4bf310e02484aec3215a9eba3544a81a94
SHA5125f82cb1d64ccfbdb1b0c8f27b7285313dcca5ff39361bbf1a2b20fe25e87c987699026ba2f0e6aa201580b737c3b47a0df556d6a39e10c0e43b47aac62ba4739
-
Filesize
8KB
MD575d68427c1dc8114e3ec313c6245bcaa
SHA1600499d66c987727d83355e380a94acaa46a40f9
SHA25683d165c8bdc173310ee8a3b094e9e43bb18afde012020228a575528df960864e
SHA512a74bdebf9fd3875b51a2d97be784364a601872f485cfc9a5c2626def5c1f41d8dc3b7bd64dcdf9f13f543c4741ede924cc193d70f78f6e8fa1b92647ddab2f0e
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
89KB
MD519b35690fef22b53e35cb4620c110278
SHA140d0326f69fcb00feebb4837bd27438a704be293
SHA256dbd44f7f9eb2d3b661b4cc1b29641771f18a0f1a799780fdaa692881e821b8c5
SHA51237042b386e70d15b67059768f68c65713d34a8a244cfdb8bd66eaa3caaf0122d16a5ebb2d1630fa47a305c200463b4c2a2ea6dd8e87a9a6e3ed5f12ad641950f
-
Filesize
1.4MB
MD572e03d75bf021a1e1c28ff695d055e65
SHA14bf5e85f2cea24d2ba29301752ead08f4e3335a6
SHA2564e82df1cf92a65295b16dbc6970198ae671c24fac90a7f652d7537f191014917
SHA512de178b3877e6e91be15e47dbe0ceab6e0516789c0e8bc518efc08ed9549e8e365a11275acd30c7d469c957bd15bf57f7acb7f10fe6dc417c070dc6a6bd754577
-
Filesize
183KB
MD5a74799b632685d03258b15358c504f6f
SHA14ecc07bfb9529bca4802624b3022f1f5c1bfb0e9
SHA25655ce1354cdacb4dec0dc86e9f226811b03f9a6319e4081414150a4e430e9c6eb
SHA5122343190d7aeb9441e4790ef280af0e3a0dbb7902b5b1a7d3f81aaca360af71807af004cdb53ab608cae6cc821d236aff758e3c217032495c5d96fa5161c15935
-
Filesize
1.2MB
MD5499e17320cf1e742f55e01f7eb92336b
SHA13fc2af18b4fdab29de2b69fd3ecda89c7d407e9a
SHA256898bc6a3ee887af2d77e1d992a1f38c14e01fa69e89475a706b24e9d6a63e7b6
SHA51267c26da5d5d6819d5a369a82ab6b8b7aa1b18d7fb7af7faa875392f0d0642551e815e22257680f6584ba528c0d720d40cc3aa21024bf6830942ee519c5669ef0
-
Filesize
220KB
MD5aa7cc12b3dde7d799e1183153155d888
SHA18f394a9bd8a8e228ab7295cebd3309096309da64
SHA256ac667d2b3675379b1281d8c0f55314b363c58628b9d7144ec032df1c6331dc0b
SHA5120f2dcc4004fb66ebe082f449bb848acb643ec6a34d0fb152cba49537e2a277cd45fe603202d81c2b79016500eae030cd59f0835461aee86a3fc89f928cd2cbef
-
Filesize
1.0MB
MD55a68637c88b223f1fac3fb1c4ea1b538
SHA1a655224147ecabbaf4d8bb2577156209b51fd9aa
SHA256a5c6444cb47785f054f5b56131c7302dc491a3c6132b58790b8d31fd9837df16
SHA5120df0c017d6d636a5ef348535968341f01fa7550eddf8ab3a3b45d65b7f5099ac9e5392134b2491ba861d68d0b4545b84dc8cef4af8931c41e9689e9b5014755c
-
Filesize
1.1MB
MD5015e607043c90b874c79fbb8d90eca89
SHA1ff203ebdc57402fc379f5ad5a08f2538b8f72dd5
SHA256d07bfeccd987516ff3d4b1bc4ce077a883ffcd939f579a671d157fd2d4517ecb
SHA51267c9f170ff8b52a254cdc029f7ccb88cb83219818c08115c8742cccaea0cc05eaacb4bd894ff76b995b55864fe85feb25df024c973bee8643f08897906168719
-
Filesize
652KB
MD5e6e37e2474b5937c1a145f756f96215f
SHA14213fe56509f7abd595e50d30e4a73aacc64c9ab
SHA256a20f06c5948ab7494affe351d0a576ac5740af4869dc6506ccd6a1500ab485a8
SHA5120819e4326326e6c0f6f8fc96430e88be19caf87388faeeac8074cd4e417fb5e145f8ebb3538eab156783b0d59a0b8a1f307121cc9e631f998ffc12c6148ca738
-
Filesize
30KB
MD5bc03a784fd2017ef45b2a287e5cf2677
SHA134340ea6b35e566d0f2679da52b771d05502047b
SHA25652f47ea7d168e7162ba6acac451627775216b7761ad85a5e72d8c274d5703f2f
SHA51249fdbdb52ae19d4939b875b2884467376bc2d21e64e828ee69086d0b78d3fe447f0a719742d0d00038eb4d3ae00d47af7a1362483f43f22c5f97b9aadcb6d8fb
-
Filesize
528KB
MD5b4025db382bf54c40fe5db916e2cc818
SHA1bbfe26d8397f215a1924530e2fb072d806dfa115
SHA256afc4ef89b474589eac5a915c2d0d4581667b214fdf56c0169edb11b8998fc56e
SHA512924deb510b622e7accb82eefaff33ac351b7a54e46ccc2945502cfe64f733e9d57bb3e6f2ff30884304808d01bd377b4c7a1406521f4c98e72071c7b3de8853f
-
Filesize
890KB
MD5327aa11b65c9cbe127902f2ec75fba02
SHA1458538e3618da2f69566bf654a19a3aca30d29a2
SHA256fd4b9ba15bdb3f4e55e650a648830320ba602ef2bdd0d3f7a793123460229a81
SHA512d3d4162fab37875565500b773595bc643c3a073a3154fd894bb50db370a09195b97bc1d593d3c2b007c1276608dc47328e41cf81401fe1c8bcc91a6f15a599d5
-
Filesize
1.1MB
MD50ccf469c1d2932e86d4a8d0e076e0f1b
SHA1f6dc4b3f9918e82cbf0e66de7240f5b2bfd5119f
SHA25639f35aa3c665edd1a19a13d8e030e667399e917d4ac23f236609688b35755615
SHA512ace2473b33424eb4f4cb1bb0110570fc35d95d1459f817646eec16bb333e9efa76aa3c467eff413c4f9531e1086bebbc7887bf8f2703dda13a7da0980029bf27
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB