Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
e793813b72ce563f787a19edb3bf55a19b3caf2a08a47602abf10758ee8a1fec.exe
-
Size
1.7MB
-
MD5
f8c81b9a2cd2778c624f0cdf49f5668b
-
SHA1
3bb0ce33d29a62cd7bd2dbc3a3df0ada54de7ad0
-
SHA256
e793813b72ce563f787a19edb3bf55a19b3caf2a08a47602abf10758ee8a1fec
-
SHA512
39d9df7510d1856d0a146ed2b832fb50f2e597ef9facafad49abadd9327cc28c01f74974cfad6e61269d2dbed8e4c89da62dc339dad585388a7de75e5ae573ad
-
SSDEEP
24576:9yL23NnVwZ/quBszeE/DEUIl7Ux6cZVQta263rjOjdn6bgLpRdGfUVPeasq8yN:YLsyZSxN793zvQQ2wX8dq0AKea
Malware Config
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e793813b72ce563f787a19edb3bf55a19b3caf2a08a47602abf10758ee8a1fec.exe"C:\Users\Admin\AppData\Local\Temp\e793813b72ce563f787a19edb3bf55a19b3caf2a08a47602abf10758ee8a1fec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ad1mf24.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ad1mf24.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm8eT80.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm8eT80.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DL5Go93.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DL5Go93.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY9Ck11.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY9Ck11.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ef3fi11.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ef3fi11.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QN01eB8.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QN01eB8.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2RG3349.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2RG3349.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3oO28kA.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3oO28kA.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NA579CC.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NA579CC.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yU3ac3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yU3ac3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kr4IU0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kr4IU0.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XB3bZ65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XB3bZ65.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\759D.tmp\759E.tmp\759F.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XB3bZ65.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffe963946f8,0x7ffe96394708,0x7ffe963947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,8494097171816691449,6230034148755258236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,8494097171816691449,6230034148755258236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe963946f8,0x7ffe96394708,0x7ffe963947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8692031808913839517,2033666632713510183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe963946f8,0x7ffe96394708,0x7ffe963947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2026166119038794546,12275085603945859720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712052798.txt"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regini.exeregini "C:\Users\Admin\AppData\Roaming\random_1712052798.txt"2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
152B
MD50bd5c93de6441cd85df33f5858ead08c
SHA1c9e9a6c225ae958d5725537fac596b4d89ccb621
SHA2566e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2
SHA51219073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2
-
Filesize
1KB
MD516393da00b76e38ee601d809d118acd8
SHA1ae5cae8ec3683ed436701c33efe2707f23d5db36
SHA2561d3fdf0c37c4ccbecbe436e9e7a561957ca4f144a1b9408c1fc57d2bd2959ca7
SHA512506635f12b41c8ed3aec445147bffec3e23f2ddf7931a123fdf8778f13d0f8f657df70d93cbb620d5b61d8fd8eef2df5ce1bbcc157c94ae025d30788874dc20e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD5890611656ea19f6a13364a7bdca74b88
SHA195aea77f627383f870846a29e477074dd557a03d
SHA25632c56a76bccab4fb145a70ea6f4b1ef8100938b53f3aab028cf56c342d188214
SHA512a5e5a9b3c740d27c6f7a7a6a6cce24bad62eeffaaba1452b163891259362b4ecab2ffa93e358ceaaae813ef825585001473b00da8cba677546bb93b2a38ec735
-
Filesize
2KB
MD5aad2f43061981ad2075897373f15e822
SHA19ce64b7df007ba62d923cda82913475a52593fa2
SHA256431725283a1000a77f4ade7daff258160dbc04aa6446653d42337c80f6ee3ab7
SHA512a861ff85ec2f5553e709bfc3df6a7aa8cd1c1ad81557cdb5c97b306567c2dca2773b3f5c2118babfebf53ca6f3db22a13f5fcc9415ea8066caf6beb0657a1efb
-
Filesize
5KB
MD5af0d1f963841f38943bf126153856855
SHA198f3d868424530655f43ea1106f6473b02d50b3a
SHA256e4da07eb997c8babeae54b148803b4e6ac7bde82b1f635c978e9002cffe9eb62
SHA512bea4629ab4548445d78e5715b465cc0c0b549e5e9569d09d5fc5119ebbb5101c1e2bd18fb2ab2360f1dc738dad0e55a79cd3ce7ca347d73186427ac2b62dfd6c
-
Filesize
6KB
MD58095ab69ed2e0666aee70d134335a16a
SHA193c090fbe6187a76756bc5e00cc5988ba792c6c8
SHA256891308c4e94c0d9883066b16ba6809309105e96ec8a560e54191d5e3eb2da163
SHA512cc1fdc08c24b0922889449721e31b9a5abbb5c64a8c15e8865648bf69b1214309f20f2ab643352aa63d73844680cb4466702d9f0091b46ec3a72c626e5a7541f
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
89B
MD564cf2678914f66ecfafbd6d05688c20e
SHA1a683607c1b8dbb258d6f92957837d457e80e494e
SHA2567e3a37a39790f8d517c5263778c83661841e47e994ab05d04c0524b0abc3f4bd
SHA512acfc87726d473e6cb67637d5b83a89a240e82dac4787e1fde164f2cdd029f4665b71015c3bbd493f835f245816f5794489bd988f28ff89df86d7046a2e919cab
-
Filesize
146B
MD5225dadb1d6255436ef6aa6a1dd49656e
SHA15d1e6d02bc13f99696091cfa93e378711883c7b2
SHA256158e06480fbe6301a8379899b12a3ee5f1dc2b5101a4f9922c88431d72cf2743
SHA5129414fa8a1737eadb6930b2635f55a28b752f138b4d54016467b32b71ab725a16402697c1b94fff8447379be0bfbc29f1c616216a9ec88bcfdd638c68e9c2d8dd
-
Filesize
82B
MD5b40dbd20cc31a32b189975ba10ed944b
SHA1423c6e3b53c9f44e59fa3be0b3e5d038e8b97a73
SHA25682d84a11c8f59d838de4ff84aa2e88b4af348242024cba0e7f8c6a54829009c4
SHA51252cbc80f343bfe6977388aa7ab9635d076a892a9e72bf316abf825001f170a96d5f1cb084a9d790f7412718d0b9ce94881addd38d93a6a33066244717bec4a41
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5e1234ad3bd9024f8d31e7dbb3a279040
SHA12bc09e910ba473d0b621cf7ee44ae9e76a0e8cff
SHA2560e622eff65375d6056cd166ad8e84a767f563ca8d2cc42b9f8fc35e23930cbdd
SHA51201728086714425e742fe47e25c5cad2959ef3ea3896530b26a88e1d5dfe1d8b36edae30bec01a47af11964bf5a78a01e1e9aedabe7076cd65eca6fe7b4418b44
-
Filesize
48B
MD51458aa19635f14aaded72dde18621bdf
SHA1d82cd38ee7513c1c7d61de6db822c0e234d21ca6
SHA2562024c79aa6686b76b0aac622b8ec229776c4279107bb9e944713f5ac60057ad4
SHA512cc6d7e0ae6e0984457f27094a974a510509209342df5d620365f7e8ff9a9ba6568eb2a65203b124231122f6aa5b396d400dbfc2f4573d72cadce976265459dc1
-
Filesize
1KB
MD5a5d6e90d72c1edf39167b9240976037e
SHA1bf39cd3cba1a0bf98ab5400c35ee7b70a4506e05
SHA256d740c5dc4a5dd48b2ea613c7667af49ffbb12e0fe2a837bd4969d37213c6ad73
SHA51290c6bfe625515a7189215e526a8fc566d36084ad3265189022981045fc5230ec1b9c798b90a455d96f6894fdf9c7879c1a514f33177455dff5f8a1f73d367f52
-
Filesize
1KB
MD5ed7108acf2c80204a589098740816025
SHA1df3164882711ea4c20118848af17ee8f8e2f2f3e
SHA256f1436ed695d6ff286ab79e64624857fc97224e45019255f376d5b914826750c9
SHA512625962903c2ca2cb8e2253219fcf436b5ce119e142f1e0ddca5f06c04b2c4c5ad2c36d2609209ed3878f01ef0571932f46104f5ecfb2a14947cc6f341cbb09da
-
Filesize
1KB
MD5b02e542a89472756fba7d990b2847a7d
SHA120b0b098e4e2ba894b77398b16a1e383b969993d
SHA256b4636f336c3978637f12adbfd853ffcaa77e56e351c12066a3c125f3cd194cbb
SHA512f56d44f575c27bb31d7b3fe1283470e882b1f53fee050db8a0f980633e24b5750e6f63c3d7ee92ded95f1fef10c7182dfd6647132aebd7dac375f4036ee1813e
-
Filesize
1KB
MD576857b599b24bc2f30b877df7032a0fe
SHA1ab22632f58ae58855e000d700a2304f8300e2f7a
SHA256e018afb97736cfeb23b05d077fc4db50e290b08021a527d1a780b4963bb03855
SHA51242f870dfd522a91a562192bb623ae8df74c4386449dae031d86c0629e965ba4f27df9b23ddf9f347e0f3cdaf87860df3b8d5d56239db7335eb2bbe9d75d0fa63
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD557d9a0baa45f79fc3e6585ea9d7a348e
SHA1e5a59a3afb01e73da2080434f9c1a8a77a961ac4
SHA256f60be5a3f2dc423281f324e9c2a2687ddababda7cc0733ec73e2422032158dea
SHA5123999e8adf654962ecea1be72fb9392dc656fd57254c7534a2cdc832863ae7aa37c0a5fcd45cf77fbe3449fe464712cea86f2e768a0a497f0702b924865f63032
-
Filesize
10KB
MD5e2542dd40dfee9847b0f2d7460e39e85
SHA1180153bda71df4230e37fd80f1fc17e90fece806
SHA256ce11abd729cf4b3c9b9958cbda6d105743d61977c606beab2dcc0abb3cd9213b
SHA512376386d6a3c4ad8f141a3acca43223f4cc59fe45193e5dbb7ece1fe14278057b3aa67a17e45d626fe4dfadf56a690609a966eceb05286f648f9460af355bee2d
-
Filesize
2KB
MD5a30adc6a596df800f4ad494361d36a9b
SHA181b7805a25a054a28a8ea7c5b38cedb6353aa0ab
SHA25677738db36c47e1110c52fda91095c035af5bb1c8e154f66f1192e6cac8127c41
SHA51276f7454a580e3b05e9d3c9a8ef963858e8164e9abc6203350a2a382dc27af9b031880fb1f8e7b04511db2196fee8d380c6fc9be7dd2e6c4688c7e4ec0995dcd7
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5588bd3610967f9962547fd3a6c221708
SHA14b0aa17614271188b0ac7077d3f14eede19b796d
SHA25660b8dd024d9099023d1d57745d08a0eb558f9e0dbb93be0caf2fc9438d569f70
SHA5123f9c3446b161dbd611da36a09c4d538a7726ddfc19df8e72a1bba2c14d8145f30440753611ac3bc8aabc90890cb6ab068397ba75192274d47c3bf4444894f06e
-
Filesize
1.6MB
MD506a6c3caf8a8dc4a7ff35f8999847ac2
SHA1afab4a4032111d1b0ad1cca5aa8a1e41a4157f44
SHA256508e8c5871c885ed890853323a6afb08051237ac82278aba09e266791dcf5e5e
SHA512300fb5064d2db26744a154124f6753e6805d620df9b5a60791556df8de0f3453d3d42d48994b33fdf88089ed89fc78d300293aa067b1f6606829281695e4727b
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.4MB
MD5b07da802117f8e9069b1fa47b0b7db2c
SHA13430a0586629c98263dace04746d33f87c1e3e48
SHA2564887f5ba350e8f559e8d2f0a6e757dc5168f7d96f5524c9a78546049f1b7bd19
SHA51233fa374ea5687ea3b084969ea78b5def6826406ff9dcaac865243508d779d4004818f79d49550e9ff1b9b96146eec523d4e238f559be99c2f55f5073cc5b4878
-
Filesize
1.1MB
MD5e246bbdce83a7fd3357e5aee26ff03e6
SHA187e5338e16620385b88b80684edeaadb0abe09e8
SHA2561d6e91ea86ce2b75126908364efcb4ec445b3b96f80e96f1b7ce389ef5964e7c
SHA5127d32aee4759399c980739e997332f2b5d9652fd70cf2e4a4a62103c6281f88bb7f33acaada917b1e2906d2f493ec97af50b606233c3ee9e76219fd9ed1561a06
-
Filesize
1.0MB
MD5fe32be1c27c8caa560a5f52d68b12c49
SHA114fdbb1210bbb65dc67069446931eabf317ffca1
SHA2561b994e94b7bf5626950cbfbdf321f374edc7733755d505a842a0f33a2b1d14f1
SHA5123cbc2e0a7debcc2ab27ab399d44bf132d2502d2a2b88527fa9094e155e3337e33c809ce6e4cf13f33cee425e3b6c89518072ab926a63a4ff93a793f771f7d945
-
Filesize
897KB
MD551ec296ba8acaa002bb9a6e920250a5f
SHA1d306b6a896c58e158f81c022cac543c62e697ef2
SHA2568424f50f82c00c118821599dc8b0a04a389dec31a203b968b26d25935a577cb3
SHA51207c0f0cc2c75837cc90b8be3f20b518c8cec051c2983f2f583cd7fdbfae12c5e1445e429568923163524d40d12c9343cf4e81db76c3f3eb6fab650bcfa8d1217
-
Filesize
688KB
MD56f52e303c01cc06c5bdc084a80f7c0b0
SHA17c9a8e0f822069dd5463d115389655b05e38d855
SHA2560e6a85291fc7e8cff74031f5c6f8b45ddbfe4aad670457eea2211a7af8b38e75
SHA512d84273bf44b6f9b5ec5beb786e259ad5e97a084040a3ac314197990ef579a460e220bfe74faa73c7602058008a7378b9c9b40665bc690afda30fec7402220ec1
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
492KB
MD5ecc4b7be6d7509d68ffeb705de601366
SHA15714812e18bba08d1817c81b7ff16fcf41488da3
SHA2560136d5bedb80c6600b1119fbc9cffd7773b56f372dda7089b7a8bfcc6227dd88
SHA51255e9504ec28a2df166be70657384e733ca142a11b6e1507787fb4d6df20bd6734ef37638445c27456a025489ea35c84ec525584b8c06ec388291877e0b1e5503
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
265KB
MD515fe972bcfd9189d826083838645b850
SHA1d2bf7fee68e358fa71b942b8ae92e483536abf86
SHA256ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4
SHA51230f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
78B
MD52d245696c73134b0a9a2ac296ea7c170
SHA1f234419d7a09920a46ad291b98d7dca5a11f0da8
SHA256ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930
SHA512af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB