Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e.exe
-
Size
1.3MB
-
MD5
4be5a608b4d35960795a412fb4aa396c
-
SHA1
30e56d3901b47e0543d640de27926f25fc27f03c
-
SHA256
fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e
-
SHA512
e9bb712e59f76c00ccb343f32c8e826eb5cba8ca1634d13102ee557faf6e4b0281932113ab0913d59f127db3aec60ab901c0a5b5f9164f6e1ce92048e94448f0
-
SSDEEP
24576:1ybKa+UsJQQN8cTVvN6Th2kqeyGZfgxHDwvVF75LFPJrqxB4kD+4N:Q+aVsPVwFVqey0IxHEDhoD+
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e.exe"C:\Users\Admin\AppData\Local\Temp\fca622d2096af6d499789c6ae2afb61575c07fe93e62af79d33f5890f77e842e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hy9zT15.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hy9zT15.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ls3FB79.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ls3FB79.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pg3KG63.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pg3KG63.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KY9DU61.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KY9DU61.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ny60Nc2.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ny60Nc2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2uf7570.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2uf7570.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yW94pQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yW94pQ.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nv442KZ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nv442KZ.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5hS5em1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5hS5em1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OH6ne5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OH6ne5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5582.tmp\5583.tmp\5584.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OH6ne5.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1e0146f8,0x7ffe1e014708,0x7ffe1e0147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7337035647640188665,11579782630045334780,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3584 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1e0146f8,0x7ffe1e014708,0x7ffe1e0147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16729670906844054008,14559630275530557924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16729670906844054008,14559630275530557924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1e0146f8,0x7ffe1e014708,0x7ffe1e0147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12175265543806551601,14762634539238283819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
1KB
MD5f8dc154050c8d25dc854917069005b56
SHA19de7960c1d048f21e27710411a5b30cad66cbfac
SHA256d991161ef7be34f9df06507795bbdccfbbc2725b66f341077cd4053c4d5bc3c4
SHA512195cd2581c974a5bc821d56a55ba472bf5468ad36f9de4819d19e894b993ea87350cfcf79d742250ed78a3f0281c6c6320d3d694ba5eee8b9027ab34ff61ea93
-
Filesize
2KB
MD5e3070f860ba205444e2fd0cad4b7377a
SHA1092cb32718913f08c8952cb3919966c8c86ebc23
SHA256777d5457d551ba75b82ee5e8f825145a20fccecd79011f42231c56439bd80f40
SHA51221fd1d73f2f71cb2a435a20cc1bbe729cf614336377e58a80804cef26b25aa3140191562ac893fb9925e1ecddb8aecc10ce2ccb42ce643bfb6ff9632d1fbc1d6
-
Filesize
2KB
MD5e43d17f64be04941608ae168dc84e334
SHA14d88fc78889d8057e7e56687dd9401581748115f
SHA2568a07fe87f1c446f5296cc8af8be84fd6be4f8f570220c71a43567fceeacce468
SHA512fb003a85706e3a999a7aec24645fc98b5251682901faaf4ca5fb2e5e1499ed5a73eaf6daa88f43fa3ec8534f585684f698246d44006cd900a92240dc28ef1422
-
Filesize
6KB
MD5a7c29442dbcb8d5994cb02b2a5e98122
SHA1d7b76d4b574ed2d66615b459fc0abc5eb28deb18
SHA2561a284650effa31067521268abd66e7e4256ccad4e6bdeb23e041ea053400c02b
SHA512ab875a80f0609cb59a45321a4db56d9934e9d824acfccc5b929fa60d867830b84bef6a3902fef768c345bf2a938ff19979d052f8ff42b165b4e1b8add26d089f
-
Filesize
7KB
MD53f721ab905a63ac5c3f55c313a99df47
SHA11666ff1b10f3ed1e21b61d96bd87183d0434f718
SHA2561540e08390833adc46cca71f634e537ef335fed1f05c941744c450888f52a5e5
SHA512b8fcff8d716daf6c507575caa45b473d7d650205523ca0c5152e77eeab2a36e167bcd66f48b583a02d38661af7bf31b376ea005a92153614ddb2c13bb0a4ed9e
-
Filesize
89B
MD5e6037223da6336c4d0e1d1ea691f4247
SHA11b11423ee935ebaf77e6d77816f03305f16eb1e3
SHA2564febf61c05bfd61c20d40560ec7e2e4e44d0b364a7765ebaf2cfd71d7c3e09ef
SHA5123c0f5c8a5f7f26f783a97faab8b7db9cf5aa2b3b809d304677b8b5e4a67accde9d9510139365e6c21082fc0d1eee347a769ec5fbf0642505f4c7ba128c012c47
-
Filesize
146B
MD5ab52a903795bd9eead30daee03853668
SHA1c19d1e2759911e3619fea6e3aed6823394e47314
SHA25615d8681f6bb82756cd6765e4340efefe9442c05373f7dd0dcc741cb11a424680
SHA512fd63ec3f4d5dd42f2006bf60de0dd177d430418fea46b84ec36a22f2a926cab5a24c90638ab6c0bc12c0ba177bf1efef82d44bac84457743b24d916238d56cf1
-
Filesize
82B
MD53d2a03a83da80b770fe9268a6f18c429
SHA1e6c49f1855194ff639a45ee039fb81b8f70835b5
SHA25658fcabd7434730dbbe3ae9b36413c17e6e98b6fd76f04f377310752324600379
SHA512d4dd86f1d3786cf7a9f22c6bdc60cad0adda120d60ec467e63c9636375dda32371a56b0fe1cd2aa4d141c6d3314a89e14920a6cf0141b18a3362c612d8a276ad
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5f0697c33549f9fa0e7d0a6fd576fa356
SHA1a85449467151dd291d2c4ae618debb97d7714d5b
SHA25657881160e0416b4ed0e39386f8272fb29d558fe6940cb8400225d2a5d64299eb
SHA512ff6e248502916de25572abd03395630c931a8192cec0b3f545c8a98be860ec03964fcc12d19f3d03226232fff912e7b84898b087595c50deba2fe118063dbd8e
-
Filesize
48B
MD5490c91ffda5789b929a7bbd8563e8f79
SHA1c2242aa1eaec2c26e497cacd277eb6d7d6891f1c
SHA256d698c5b58697ea75fe7352d9aa22b5b2154119d725d222b8186dd25c0e5505f2
SHA512566437a97f032c666a38f892ee0184e161b21346fdf6d8ae7ce57c669ab711909b682d03d7b7125e577d30c56184934775f93630cf439a108c1c0d3a45f59e00
-
Filesize
1KB
MD50940f70571d4c063bb9d3bd7d6ef6945
SHA15ecc55e54d732c939dd378d3b9e9be4c7e70b767
SHA256e67d729ad97536591d72d39d611ec86d225312fcd23870731e15f3aacca58d42
SHA51279e57f1c5f62c1fae3f88a75748df0dd92833baed82ecf87f1d0e1e3f341dc5ab070d078f08cb7cc512c83a8bb1afda81f208ca4547b9256194ad417c4ed88cb
-
Filesize
1KB
MD555ff00a3e8e7f183adca5d491702ad95
SHA1b50ee02dc329d7bc02cda57fb8079de8f86534ab
SHA256d68622a717dac9c3df2d3cffa569386d9ecb36dc58a13151aaea12f836e73843
SHA51228d722752c6320fa6b58c237bc6e2e7bf0e7a2cc0130f4573b971df7fb462c4e8ba1c84d4b14e4df2a82dfccbbcdda181612c6f22eafd204bc6a6d52a6694376
-
Filesize
1KB
MD59051d2d93bb155dcbe668ef123e788e0
SHA1c64ce8ff270466e362652b0e08afc67731cd8182
SHA256b4e2d389adb35c16d55f18e980ec185272e4426f4388657e3bdb4ace84b2f7da
SHA51217616f2812bad4fcf512d3e3e7908063af913deb15db9455702f6101d7f6d8ce841f33ea48a7652a3263d818c50ba205ca8fc364400b59f72055f45e30b60256
-
Filesize
1KB
MD5f1d14c555cd4892aaf40a762a2133d62
SHA10ad74c182e1bf53776b9311be6d60bcb1654fb4f
SHA25678b3bbe714840cc6f872dc7e17cb6d424ab02d983ab9e4981059af956eea699d
SHA51230a8f062342f596e380d7870c4e33656c34de3380ddf25eda260be192b2415d74fd143408e98f0970eefdde263bc59ccea82bb5a9296f702584ab4502857d9a5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD56c8cc838725c29bd639bc820bbe4b2a3
SHA1860c61c071db8d4ab2c4267a12eed5f376a8a00f
SHA25637a4d127562c89c6e7b6ad81e00ca1ba607c55bb67b661fb35d45e9e5192c830
SHA5129dcd78d04baed1b59dc4f7faab1367dc3ed22a1cbc7c5d26d0543f3a4ae02e28e85b72f3394dd57b4ab0c2e7a4b60f6a5ba0e2f6867c7f37417a491be6337e42
-
Filesize
11KB
MD5316ab5da7348ef28eb9080eaa26e4b98
SHA1bfaa140dbf7a6f2967df454223ed04f8f2ef7389
SHA2561b322e562a2fb9dcef2fc279a08bbb2da6345a58909502a1c3b5716a5dc67777
SHA5126fa65effe4001f96534a07f41f749eb09d13d4379e63d18dc4fa8491a37e536b55fce6f5a7ece91ec245daaa16b98723e3938f00eb63dbb84d792832e1edd70c
-
Filesize
8KB
MD5328dc5a9915142006f740be07d0781ca
SHA1a922e420b42376492c90d8a8b93bb564be1d3fd2
SHA2567ebeea58b5979aa9d24d039f03d528512fd71fa3261a445daa2ae38c3bee9ab2
SHA51249e2b934c6116193ed8d51a19d87efe897f64eb02574d8e3de0e0bb101da450ac21dcd6d0d642a69d41b64372889591743c55922434e583ed0117f042b542de2
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD51ee7e5e8f44af92aaa355f6103c536f1
SHA135199c3d42903c3dee654aac2a89c77ef081b7ca
SHA256fb201b12e7af37e1967454d1d8c1be6189870c36d378899c648614aeb56a62f2
SHA512f61c5d6f39e0605818e7f3394a930f792a45424408b91b7e75d35dd5e1afd22ff7c40eac62c8d7ec46596b0c2fe41f5ca2ae9dab35af1fde1289a7c66c95d75a
-
Filesize
1.2MB
MD547680c77dbdb0923acedef6912842be5
SHA15d9bbada699b01564a6ee6d729ad1d82bd6cc6a2
SHA2564da5daeca763606798b7b6553904599d0ece9bd60307b410ec589c0b058df9fe
SHA5123b4fe5a386057f0bcb9770810ddaccdf55562bc8a4a4ade19deb050016d7e72eac1fc150102d9fba7380f06ff98621f6479809031ea01b8ddb7998ae0f4e92cd
-
Filesize
219KB
MD5456694d350aab8a42a421ad99a3dffdf
SHA17719392c293d60825616a05e4a6217b4ba0d4846
SHA256ebc3e949b1a8c060d09182935b0f8e3f443b4bb28d053c83c5eb3336a2ff4a5b
SHA5127162e89bb3cff3c6dfdda83ca2261c805070f6b9a5a923fd212f2056e90a2418404a530fe9794e8ef4541fd8cd93b5a3683ad909136d700bf1908d7f37e5f895
-
Filesize
1000KB
MD535ca46e0b1cb329b2bb02c1d89b51936
SHA1feaeec1a5e6f0bfbe7229dc718517057a8dd16bb
SHA256b4375a772eea226fd49d26d9bdcfac2463fb3fa17d307b755cb55727332cc9f8
SHA512d95e482deeb8d79c373c7935499f039d67ee0c7a69b1baf559c1e58aa1834a7795ed36efd04a6f6d80a3befa6f688e4e180e76d270a99548659e7dbed5928682
-
Filesize
1.1MB
MD5e8514b0520cc9326f103e50fca194b20
SHA10dfa6c06d8380b5487aa810086faf7f1bab9040a
SHA25642392b571e0b177d51c9ab9b753a7b73089eaf44ef0318c957e93bc0c99f5659
SHA512328cb0f2c4f7cf698d641592a46e54c29c07f6ffd5443efe9c3cbce09d0c7b90b3194209f005c4ab2bcbce0d10e496e72301da3f19c321c53ce1fd71b05d409e
-
Filesize
586KB
MD59215e75f71fe21513f02e867f1b3a7d2
SHA12f6f6d19bae006fbb5d9a81f0e07fbbcf1162bc9
SHA256ce37c1c3715f9cd6e2c173244e0ebe1c2e7a5111346d2898478d739198a1e2e2
SHA512f1f3a56a6c33a4d63a5522d0635f17910262855bc1cfbb84a3b8ebc2c5d300f095681e7a9f28cbe25cf2c3bbd443ac1a7e225d5f2331bc2a8f12d74846aca33a
-
Filesize
30KB
MD5f35802962400fe1fc343743081981a1b
SHA19b611081b8ca5142e99fcae99d4ac3f33f0971ba
SHA256215053c0082fe3d022320383daaec23a8db24e94a493f2ddbf4bca206a2afca7
SHA512eb3ad92a2db5a17a207759955502aebb83c6a971469356a04b996dc4681bfdbe1d482299817d8b7986af1d637666dcb3ebf808f8ddf1161ca48eac5aa534a370
-
Filesize
461KB
MD56019a42c48b18139864f3aa91e649af9
SHA17b8ee7df931d89cc259fee5ffea45888313cb2fe
SHA256ea9ce37bfa2d03c3fe6281885b75805b74fda84ca6f586c1a5e6de0598ab657d
SHA512b9feef720efb9166d439ae93e0b56fa328ae7e816f5e61ae8f778c4af400e345462f0430d255d38a2390d5a7ffee9fd97c4e33d35cb82e7e98bec1b5bb5f9415
-
Filesize
886KB
MD58888c49aa48cf0ea1dc2be358624d147
SHA1055f7dc5635544ad131cc1331a59e866c9402ff8
SHA2561e111d314fae9689d28706c674c71ddaa6d7ecfc4df9d82560b4cc6dcb5a2348
SHA5128cb0c17f17baef58112bf01e14242b24ac9e300a0fe6083554b8a4aed029ee7cc7afb174980fec2f782fc2fa1fed5f3d607dac963dc6f4c636c0cf52a8d8e8d2
-
Filesize
180KB
MD5510bff153898562191880e4420c28490
SHA10eae385609c72ce5643803a451a3f1ac1ad5bfd9
SHA25644beca3ac9baf578e2c6a875e25a881085e1695fb0728978126cf62da1a041d5
SHA5123253c66229a6afa846cc93460ebe35d5309acb3d975a8ff702d4ea2fb386b6f8bd074843a9a1dda2888a9480eb58070738c5868feb3bf6ee1908c27895bcba5f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
36KB
-
Filesize
36KB