Analysis
-
max time kernel
167s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:16
General
-
Target
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe
-
Size
1.3MB
-
MD5
9e812f3cb3b6bd7057626dc1f8f40df2
-
SHA1
768b2df69ccd958e0865575e10f42b98bafdba21
-
SHA256
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f
-
SHA512
69f3903c483f01f1835bf54f52c78c25dc62ca8f24ad3020c754aa44230ac3bc55eeb1c6cec18b7511d23aad33f56ada18ce5875d67b07aa144de9b6013e5156
-
SSDEEP
24576:uyENvyaKYUdsbl1Vtkig+4xZCUVjjEpB1eA1cOTYDXaVKpHky:9SPjb/8dDMUVjkWvOTYwwH
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe"C:\Users\Admin\AppData\Local\Temp\04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk4dS63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk4dS63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ik0iS59.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ik0iS59.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qI5yO02.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qI5yO02.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qz1Kj77.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qz1Kj77.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1EE79Gx9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1EE79Gx9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB1958.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB1958.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hC15ix.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hC15ix.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qt187YU.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qt187YU.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cj0UU9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cj0UU9.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\12A8.tmp\12A9.tmp\12AA.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffdf32746f8,0x7ffdf3274708,0x7ffdf32747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2240,14088493381779721951,13393112701566227277,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6112 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdf32746f8,0x7ffdf3274708,0x7ffdf32747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2170630315906879943,13644989577195179115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2170630315906879943,13644989577195179115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdf32746f8,0x7ffdf3274708,0x7ffdf32747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1726808789474911501,16620604165783267584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1726808789474911501,16620604165783267584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
Filesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
Filesize
1KB
MD55b5e3e1f3daaf688099d665eec596100
SHA10e694a62743751a7f2d232be117ac6d9e657f18e
SHA2566bb147ec49682b3d146ac8f3177492e08574c05f300fd4d0472c79d9b301a281
SHA5129632702cc52f7609913405564f8a5ef6d51c5f58800bf48885041a355b1fc7584ce8aa805af431af1cdd24f7fb014c96609c599b656cd203e9fddedb45c3c7bf
-
Filesize
1KB
MD59f1286d069dedd658449f4b5f2189817
SHA13b1c163c8874dea5cdf50a1689a08231dac9bca7
SHA256e35f91a1f46456579bb26b6b4948dbe88a2bdf840a233c3882a4c97e85c38d96
SHA5124c3ccc179cb6c69b218421ca0f0152d685863bee6ed1a1bac5f7183dc31fdece26118ac13af4d5de3f1b393fbd67338161efa583a9b9ffed92aa56b72a96d9eb
-
Filesize
2KB
MD561e2f17497ff4713745eed228741a30b
SHA1336ce813d994a27ca35d7560d18f2bbf0b91fc69
SHA256aaae6d3db5fed7a57a2f08886242e6a93c7be2512c5aa9d1b4b566d3c25f0809
SHA5127c5f5036f2ec016e764400ad6c6361e8f541290a20a33842e8a3d710e3d175d8c1996fdbfa9edda7eb435718e930c114172d14e416da5fd45bd1c47cef9d0374
-
Filesize
7KB
MD5f7c70cf102207dc38d1922131e53aca8
SHA1514796ba754f4614aba2b300746aa76a661232f4
SHA256d8e416765f511f56dce475c56684f4a3b73e03e81261c11a03de938b52c37143
SHA512738a849341f1b3d722e2f39243b8ed8e23ef8b57b0f5aa0a9e5865946b14300b77876ee94e0f15a8b372593f364901701a42b62fef80225d87705c0cfbe62e5f
-
Filesize
7KB
MD5b52558390c2ae19e2ad2303468eb8ef1
SHA1cc93913686deca51b7b91ea1cc80ef444ebf6969
SHA256ffaf013c499e8d8d586770415ff609b2b3e718e9558ad2a22fab254b9d3f5ff8
SHA512b1da64b479f5c05bd17e6ae63318e8e5abb6de966f5eb3f12bfa47b115e90c085fa75a9420643b90c54db46112f8e5f471e4c1dfc39707a0c618af19c3012466
-
Filesize
7KB
MD501523363d2624791f9f20a45c419f1ef
SHA1597fb88252293c63453bda588534c222762ba7ed
SHA256bf8c09a62dc68fd72827fa2163425b99b5a296c1c60a2d8901d082906773d06f
SHA512e48424c763fb3a34c72e34239c5855a72859d5d7532bfb4eade5eca8ce2fb227adc8cf1681de6776d25a1564af2ecd941605cdd899b3cc33fd0462b2c8378c81
-
Filesize
6KB
MD5ef02ce65251c61c7bb9f7ceb8b06af12
SHA12cf2991302cc1d4d40660a5d2937b12005693431
SHA256e86a133238593c84d2060cc871d38c40b4ccb038144f7e8f369cc01bdefff1af
SHA51268ffbe3a8ce95918f2acabfc84a1be52581da7be1680590a7a876251cc33761cc3013a6d98fdb190a98c3cd020c5872839a519922853f03223255ba38ce82f85
-
Filesize
89B
MD530513da1841b52ec4dd2d57e16c486b2
SHA1cdf9f3b89d58cdb66ad95f569a6ad1ca33d7717b
SHA256bc09319ba2d79200918699722b50f853ac0f9cb5675ae8e017c82ddad03fa32d
SHA5124ee83485d070c1d46745dbc4f5c8d5a0d5f2681b53cced7e01ca44362ea5c021e0d1bd5cf374e7f1a89fcd55f093e4ec0cfec6aef2d8e283c86c719a763825d0
-
Filesize
146B
MD56e0324fae9ddd8a29d9c5353b808f1b1
SHA17ec8e19d52ea0d27a905f3133e3d793f96ab70cd
SHA2569a8ce10be10b7be33f5f9b9f9172d8da6079d14c8fa14d0eef7ef250e6028eb8
SHA5121fb74ed0acdf48d0951dbe0aeec421cec6939d90fd3bf37e42cdb52e11e413abbf929237daf85638bdcf9d3a5c72039668e73340743dbaa5098dc69debc63867
-
Filesize
82B
MD544c992f843a0a65dad51485991493be6
SHA1a4d4d6c4a1ee3aaca37b66777774ebaae89e0997
SHA2569166701ad7f8fa40a89345de22b9aa852e0c3c7966545b64aed4992043faeff8
SHA512c41e16b8fd08916efbf1e9afa4649adc27741fd4bdd89dee6345057c9d397c44252d2daee86638d4f22f027b8b42c9de494c6e9ca3a959c53f4de83df086fb50
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5069663c7d8fa3c33046f8ce7512a5d49
SHA1a63255ef9c550157c851ab914e81210423c2edc0
SHA256ccd2f5700d2d95916b831d2af92279ef42a048e7d83d3951ed0061530092dd24
SHA512469a6b383e5f67a502349784015490cf30cf8e096d8b3ddc82200e599652551dd6c9c981074a7b564e647ba6837916f4ece9732e773353fd58df621ff2fcddb6
-
Filesize
48B
MD5f4adb887eada96aa48204be970761c5c
SHA1a5e384b2bdd2d7c39f6a9c1538a21fe1a2c927c1
SHA256d0db5906bdf483aa84ff74f4e6872d48dc40bbe81d96264ba93e487ac4b900cf
SHA512bcf03f522cdefa42d012bbbf35b2c0b9d231ebc6db94805a269bc1f311685bf1dde7dc43b29e83aca2ad32204a07840e92ce3e198de19c064f69898f48c6e56b
-
Filesize
1KB
MD5bfbc02d9cfef36ff41e6f0308e203359
SHA1f0cfd1f50a69f47460b2fdbc92fe65e942d5295e
SHA25683ebc66499611390c55bbf9ab677dcc847c887e06156f938ad629ad034458006
SHA5121ee212c10b84c7b086172470e5578dfeb08703c7daed26b532b3f355e9ad5fc032ecc4dab76bdfa4316aeb908f1c9ab0f8a66904f26dceb678c54d2442437ed7
-
Filesize
1KB
MD5ddd2b2c038cfa276284dc8c646058769
SHA1ec7e452047a8b04673a7c8f0481d6bbbc3ffae69
SHA256a41fd8b1d3ea8f7706468269c06872b0952f589cf647d1c5f4d9a3c35fda2528
SHA5122e10786e27e130b19c9437d0745ee48fdb048d73fd6361ade9fbcecf8b6eb8aeae36a57654f307c79a02d2b48305fbb83c20aab17cc7d13d24d028db71076610
-
Filesize
1KB
MD5ca5c134322c44aaa1cf1771e39fb9a8a
SHA120b9fab8e3bafc8a0846ab9e30fc9188f300e992
SHA2566e7cff92eb6cc36ac273949d494bac6bb2012468c8b68136b0e82b989afacd24
SHA51222c6352deba08a1f35ecd352cfc9b5efff25aaecf3353fd1c310d49be55046b57170a15069be3725142a061e49e892a3a4225f950551ce7465295a6c5d1b9bd0
-
Filesize
1KB
MD5ab8fc612b4fd153c338c76365a35377a
SHA16230609e8d5c3aed15c9e2fcd9771454017633c2
SHA256e740764cb8cffb6ae4c7317078980e41a334c2b611c1f847cb29eebade09dd75
SHA5123a62ccdc64b8b3ea5fcdcbf82d5466e346846d50983b326b5d254a52ddd7ebf9c13bb1c540156eff3ab03c7159c4727f831db23cb11cba4468a57d73dd48037c
-
Filesize
707B
MD5677e4adaeab8f6bcac79a396d666594e
SHA176b97fb61fe406ea1f238c712fa20e80f35ac719
SHA2563b2fe1ec2a3ade1b885855b25f02fc5e9ac01f57ea551280068c40029648bccf
SHA5129d541f26394ab1ff1bb2ec27c80fbd9f63d46af165d09285061daa61dba12fa6042b83d4b50b4725f05fe710276b113fd27e8699227edc489d4d45ccffa2dd04
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53b8a9412ad6cc7cc9bb71ecbfd97a343
SHA1d7d69ae5e5214042b35b90268ec38b329dff85de
SHA2567a26fa33e1a0c6d06a0337055307cdfb2963f3215d3387791c8b1060844c8494
SHA5126a06f2919604b291173e11247ea14c77cd4ea7af892f8720ffee2df6f393f468747e22c3ba21c87d3244e40de72210dbaaa61eba1a2f796dca7ea347f36775c9
-
Filesize
8KB
MD53242c4d38d924a36d429756bdb8b61c5
SHA18ec61ea46622a5255a4b0b6c79f95e9eaf586c06
SHA25686a68a8dd853ba1f763e7c7fa50d224e6967afeb184692487c0df35d14bb9e05
SHA512022070bb27f13b384dd7fc64efbd48f1fd6239a264701e5a0ccf100df322df59c31b40c43057378dc123b44fd55269884379d24c19b606ec36bfb852bad62c4f
-
Filesize
8KB
MD511c46b8d05d375e55289e307714bcb9b
SHA1be3e77d9b7f0a69168c947c5b416cef62642c5a9
SHA2560f09a7e61026638349c8cfa26dc7f87f3a8281398d644d7cb0c20668bd6fac35
SHA512d5a759260ae563144dd0de76514eeea472ac9c10e479d6330a81a4b553301ca94411610c82be0e49799cff845f21c92b88a9324728469e6ad47eecc886661b68
-
Filesize
8KB
MD5a8b2d874b849aa4176419aab8fa02168
SHA1a05d4566cc8fd179bb7c93bf567cc2553e11e1b7
SHA2564ef0a31f2d008f93934c2b9c1b858d28587f9f163b83c03d52fc9583b9818cab
SHA512adc75a2aa650560549c025de10494e6077d2ddcb30a4c6a43a92e0a48f697e65f2f1f78a122ae35b56ba9d05fdc6f63e95226925b45db3629e387bc66a009bb4
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5c156478ac30551df648dcec6983d346a
SHA10e22d46e3096c9567984a2dff5e6a0788b42892e
SHA2561037c68149043bbd84cd329aea94f1b40ea955e9e14cda7b3d724d7581212fdb
SHA512c7912c78302936c61c203b41267e96dd93e3707d4deb26fd4579a8ffff929d6b25e3e46958305eccfe3f95f6e9606992ed4ec60b7c457587269cec0196fceff6
-
Filesize
1.1MB
MD552579e37aaa34ce41bea033cc022f6d9
SHA168b7433eff101182f196f69c4db9aaf776869aff
SHA256815f6331b2583f1ef0ceb33877b8375654a74a9598e6112ffc8b7cd7f38a793b
SHA5123a8ff3767e5982f7b80f3c26063c98a47467a98edce15b47d75a3033f853c29bf9f7ae6fe2a72d99cda775de7e48f30eaef1b831a9ea0565574228b75e834923
-
Filesize
219KB
MD5592fdc333363c213241581b9ace2ce1a
SHA13fcc9c4f49f3b5095fa3130215139b48f318a51f
SHA2565596aca585011ae25c053fd1e63a34223f5028b95b30a9d3f208403fa7e6c631
SHA5122aa074292014d761dfbee693abb9dcf85001df965ee86ee23383d6ac86d40a9e9c3302b186cf398bd9853b29d1c3d3448be2c8a1cb8df0a3c7be75d5fac75296
-
Filesize
1000KB
MD5e4bae8bbfab0c4652462777f62c53bc5
SHA14ed3dd73dc909cc4f9088e866edd8fb69ad63fdc
SHA2565b5673ad664d510b16f8cd52c97666ab3545b87ac0f8c67498bb46798e93877a
SHA5121eef3d35b8152766d3c97e9a4822a0af299e786123c096c159c08655ef0509da409544f1ef21b5d0d6fbc15b03bba8b8924c5a6320f9b1d157add522745946dc
-
Filesize
1.1MB
MD531f18bf9fafb9df9d2576f21b839f207
SHA15bed8e92928e77d8273237a6ecc101c971de415d
SHA256adc7109c762674906da495c5f918d90fab4cda765ec6bfc5c0959da138452c97
SHA512d71e18e56a599af70b308502a70eab8d6d76d589602b642f2a61b1b8a2534a0fd604ea53b82fd35f68e8bc8f5dcc6a18fbd55f46d17d30ab70db933bf0ab1459
-
Filesize
586KB
MD59ff69d782be45c75bdc58db2a6f6628c
SHA1c37051f31ded347a4a7d7816d3e0be29edd106f5
SHA256a2254994f944b53caea6bc4fdde2119219dd69abcb2e3ece19ccfb50656b2e78
SHA512a3d2a228b34428b12ae6bb5ebdf5a5b55a3315adb8dbd1a8a2e062e7087b116d89c7e64e90ae00cca01c066601bad6755c38d458eb19eb26c50c71912996c450
-
Filesize
30KB
MD504e8f9ac5d5ca5686ec929e8c4aaa18a
SHA1488492ee94c029314dc7a18474e586c621408c79
SHA256a88fa27616123790bcb403946d8c433504c3d3c638342d163347ed7ea062f961
SHA5122c3b6cdd9432b692196c22c2c33ae32a62d7f1af74801ad4baec5fc05f752947bd099ae50aef3805dff41f04acbca7f518e2b52541b8fe9f0e941b64e37230ed
-
Filesize
461KB
MD56850e28a3bc35dd3df0228698f4627c2
SHA15efb32a0fcfee39273d560b4990d3d51a3787b0a
SHA256d8af55ce42c3248a1bf90f81a5e0ae03a37a5e9a02c03657cba4f6370dcb72ca
SHA5127f85989b6ea9cf3914870cbd9255542e4fa3b64dc882fae821f69169009830fb42c29f7bcbafa7a4a465922f9bd9a584c592e3aa9a389e056bfc6059afcd9847
-
Filesize
886KB
MD58888c49aa48cf0ea1dc2be358624d147
SHA1055f7dc5635544ad131cc1331a59e866c9402ff8
SHA2561e111d314fae9689d28706c674c71ddaa6d7ecfc4df9d82560b4cc6dcb5a2348
SHA5128cb0c17f17baef58112bf01e14242b24ac9e300a0fe6083554b8a4aed029ee7cc7afb174980fec2f782fc2fa1fed5f3d607dac963dc6f4c636c0cf52a8d8e8d2
-
Filesize
180KB
MD5417acd301766be35eb9760efaa195bcd
SHA15e1f1cc3368eebc4a2d9e9dc3c72434e8342094f
SHA2564504d172c4067a74a6c4baca4dcd5f217764296998fd67956587bc37e225c342
SHA5123e9ca6b057f2c68ec9900d9abe41a391e28b84ddcfb80d20499a299eb98015dd02c2a43c614c01357b1233953ed0939cd7460b0e6daef5c0e514efbd2fd88f60
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB