Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:16
General
-
Target
1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f.exe
-
Size
1.5MB
-
MD5
c8ee3a6885f27af7f2c2e918f8d2baed
-
SHA1
c5acd6bdebd71ee1443004939c359d67d7cf8f1a
-
SHA256
1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f
-
SHA512
653cc58976788d0639c1abd4bf6dc83662a73997d2e5727596b9ce80ec9ffa2706dce9d43106cca058c1dc1deffe875705bdf2b2cdeb1e2e677932dc9e17ea19
-
SSDEEP
24576:/ylfzZWAQ0dXIEieHexkOuiY7HpAO19j5HmTjPQLE9p:Kl8AfX7Z+7ur7pr1v0jPQu
Malware Config
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
homed
109.107.182.133:19084
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f.exe"C:\Users\Admin\AppData\Local\Temp\1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR4Sr05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YR4Sr05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jS4CQ90.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jS4CQ90.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WR9if94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WR9if94.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ka3sU66.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ka3sU66.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mO24jp0.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mO24jp0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ot7051.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ot7051.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3kf65GQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3kf65GQ.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4oA200Mx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4oA200Mx.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5RU9wx0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5RU9wx0.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nm9EA0.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nm9EA0.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\61C7.tmp\61C8.tmp\61C9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6nm9EA0.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8830846f8,0x7ff883084708,0x7ff8830847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13989213102327347996,16444377847007647839,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,13989213102327347996,16444377847007647839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8830846f8,0x7ff883084708,0x7ff8830847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4232 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12931011345030593916,1880764992074587716,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8830846f8,0x7ff883084708,0x7ff8830847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3564148469901936330,12913926171219314755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
1KB
MD55b4109579fc0155987ccd0f121094a08
SHA1948ead1f24c9a9ee54612935d6bd59f3508ab105
SHA2569bedaa9f30f47f9d2615e24f2b9423aa9f4f4472f2a00c94fdb53f2244b89018
SHA5128653d07de5886aa46b56d0d4e28280fbc5ab6eb87287acffe186acab34cf137ddc6770caa3cced43807e67c2dcdd05fac1a56ea441ff2a8551d08bc352d75c36
-
Filesize
2KB
MD51b346ace21a0ff7e7fd37b57d8ad71a4
SHA1328f05ab4ff74a27166c77d9abe319ce4912dd35
SHA256d0f3343ea9d5280fd9f5324de681a18affc615d351b9b9e80694066852695b10
SHA5122e713686fcc25517675bc2dc90dd0a3d942ab39bbbab77c276df51966842bb9aa9680137d3142dbae394ba9b43fc528a27e30371138b8d7d0c75f45487721e1e
-
Filesize
2KB
MD5c37b8a28c02344fe8acbd9a0e0b3f686
SHA16e2eb52f0bef3eb4ca8bfa3ca8c0c6991283cb69
SHA256b6669507d1bb173aa342d7ab8965b83d00cd01890b75b8ec149542b3338bb414
SHA512752eee0618b3cadc45635ab9b4a4b7c1d96e73160310f0b0bb7961250125740c35cafb4a8906dc451c5585d52c30bf1fc230ddc7fdb2665108ac0c1992fb0e12
-
Filesize
6KB
MD55dd448e23047d6697d715441c5346112
SHA1ee71beebccdef0e0322987ac8bdbf8fe0accbaf1
SHA25681dc3fc6f86de590daeb10025dffb3076b49ec68900636bf7394e8e1d4608c5e
SHA5122519734ac29848696d0c12810627c5f348e980d2a4a5de9fd986184c41dc1fb8340b074071bd84427fdd06a415c4fb69f5222c3359c2da7b4039ea04a3e249bc
-
Filesize
7KB
MD5fb5c5b6f18a226aa5940c19813adabf2
SHA1333862b2ff3c51110aa4dd533bcb465426a16d71
SHA2562eb5df2193af33880c865ad03c3f3b2ae05fc888a5cc9027c30ab4fab3dd0f8a
SHA5123fcedd85259b07bbd364913747ff9d866482cafa5776827aa64db297972fbdd0b3443316f3517bea000ab9005fcedc48d91453c11d543f96e0127a1890dd0b77
-
Filesize
89B
MD5f380907b00deb552cd7233dbceef4cb9
SHA1282d9de74b488317f521da2fe1633a7eab993aa0
SHA2560f2311f653436b85f9b51b9aa24c40eb632a363f22f95d074543bf3008d37b66
SHA512474df220054cb58ec6e3983b5effd13638db7f784bd67d49efeadbd1ddbad5ab8bc61dd91ef8c6758ed200a6ca9ebad3b0b9efa6714f00c3acd3361be16b5d34
-
Filesize
82B
MD532fd9fe5a4fcf4e64e79f16e985cab71
SHA1369cf5677348cd89f2f25aacdd127f627bbd35b0
SHA256684e0f490b32438040eae51515c36bbb9bc65c38d9246ca64154f5c5dcb3b57e
SHA5121a9befb06e2f2eb38f90cc59903a3d4ee9f603d649401bbb912077019b74cab7eebfe42bcf9fd6d302bfe575435e7f297d3af2a0dfddb74395f2777086259a8f
-
Filesize
146B
MD57adc19363d1eea4698471971a230f367
SHA1a6ad9d4c4bc4073229d12076637a0f38a1ec02b1
SHA2560668da607e608414e2dd958663bd8537621ed9bff2a4aec1c41d383154309df5
SHA512edc9ffa953ff52c456507d07d81e19f15b540179670db73949e394f903e6259dbebc76f1620432e02b723d1d671d4d35e9feaf75240d239edb79e3cbd3942691
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5cdf216f55563b8ed92f81ef83dc7a5d9
SHA1232f53be7df6ca27a4bd8b904ede67782ddd43b4
SHA2566685855d56fbf7ee205a29b07c2edbccf0cc5444062bd3741c611b804dc96af7
SHA512cd6f04408d60d70b4fb2587f80d1f818fdf4f152b939dd0bd74cff6009375d3660e301f8149d58fec65de1123b852ad884cc31cefe50071f0c9f033792bfd0b9
-
Filesize
48B
MD50b17598257e3ac62b2c79b52dff81259
SHA15173bd351b4a7973277639a92d5dcd7967c4eacf
SHA25604394634be15fdb13818822b2f4dcf0cf304f259e852ba5fd9559727bab76708
SHA512e052bd9bf568f6bfa42b41b6f06fb8048a7697143b2d0446901aff0191a73c7641724cd9aa548c0b7eef3d8bdfb36e10e4217357b111e6ab17e2893472f44351
-
Filesize
1KB
MD59ba39065acd71036f5c084d7d36c7e87
SHA18d4996500ebbb21c7ca368d20a4e719ca857f8e4
SHA256a60a71e2c694ffaba0ee59acfab460faf6d399c15118d234124f665f361090c8
SHA5125f819bc163cc0b3e833b6d9262f25610e9b1f99a6c2548f3eb35927b4442212d4a33d28a83cdf0858555dfa6d21ccf0dab58e10eaa3bc8949d288c9d55bb6007
-
Filesize
1KB
MD568fc81723b237ff39c2ea718cf9dc2a2
SHA1a569d9d8c2343af76477de36d46d80ac2a37fbf6
SHA2569b724bc3fed592b7d222645cdbac2959e86df65e47666005a07f712ba2682385
SHA512a25a02d4b3472f51b13826e53bdb223ef89299d8d2bc676d36e35672efbbd513e62a5cca681b311454a27e1f8ad9d3a0ff0ced03ac403a146e442e3280f75579
-
Filesize
1KB
MD54ad54cbec9bfd8bddeb8e4a734eccaec
SHA19b4a08780a1e2146f924610fb1a9fd227f31045a
SHA25620dfdbb76df6afc2adeb07ff404ccab5558804e041a6d7f57dfdc83025e02253
SHA512b05c24238691b95480953841b78a1f77dd9c850b411889339ee2d47717b060ddd90a9f486402030d1f39d666479fc96bf2f9e27bcfe40275c5056c811a8d776f
-
Filesize
1KB
MD5bd8ab29d6450051fcc971500d1b8b173
SHA1881610fe0476e2f14567afa4f876f57e35050919
SHA256a53347bb4a3868096970a902c04723d73f5fa8184ac4df9575e0bf3394aeedb9
SHA512034b1473a977dfe2cb10272424d23dda358d6fca08b663892a3c10601875158254ad3b600762107f4e92fa58c0df5ef0ad9e5c194d5dd978bad5e10c35aadf81
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5bba831cc88a5abcdca4b475a31cc5738
SHA17497bb0f37ce176376133d674d86e565d7348bd5
SHA2560287c36c03c39558f296c7b8a79013ab144823823d30834fd6795af988a8edce
SHA512b2f7db310028f9cd3aa477950f43d0025c5c226bbafda40de515e6fa4660e7dc75161af23b20297354eb3fcc7eaad4fa5b134ee395a92a0e1e2d9f1152139e6a
-
Filesize
8KB
MD5d3d9f2633f3724a3e717047d1c3b30a1
SHA1b04309d6f1d3417069919924302d68ce23f060dd
SHA2569ccd3e50569f953c332ef4d2a32c83780de3e2451056c1bdd7bde304bed30e2c
SHA512bfe49b7a541c30e81963cad5cc3ce97159262a7d40bb9f5c07acc836a00e6234d705e30af7c8c87623180dc1d71ae775d10e91b13fd3ab4fc69e8372a6ff360a
-
Filesize
11KB
MD5e146c78631498389456d600872953f5a
SHA193de46bbfe43ad09d6dde1816dae62281295c6c0
SHA256ea02979a59e82589757b9ecfe45252fb6c0a6459b0b034b1cf33716fb62d3eb8
SHA512c948f6d976b1192f28532b8dc9fd31416327e4323d6434d887ad760d708d11b63f6fc18edfc32d44aadde2742dfbaf042f7edf7f5ec08e24ae46b7606caaa082
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5ad37afb8cdd5ced298291f4426832d25
SHA15cb79a2b960734f14f47b3b30cf1eb9102b1f4e6
SHA256aa66302b06e3d408a39b0d47f73dc848126b607c5bfcc133c5dc582fd35683b2
SHA512b15d3cfc17c263c7b3f36917068e042ff39a04774bb0dee840cf86b973b3bf25e6865264e9ebc449a44a89fec7400fd6b84ab2988db1652db8ba70b48b18c610
-
Filesize
1.4MB
MD591c898f7905676e210b768c6265680ee
SHA12b9f3c90960f7f88af66321c74981da51a376ea5
SHA256e99c1f682684484085212faf78439933d587fe461e051db653fe3c17aedd8a84
SHA51226325cc98a8ecf50c4943217152e963d9b4c90aedf1d66068955f0b22bd1a0f79c3b021ec85efae34cd7564fe9f0868d08c88675b7e8ce42db97ae779229e107
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.2MB
MD5da5591341d23fd2e6a65f50fa495e398
SHA12bd71cf629b632e7d32eb8920a81f16ff6c4ce52
SHA256068f23db582857eeb3b4ff35898c984199e4673b651a20319a1c80a8c2049f5f
SHA512eb77262fc332e1123ff60e25048defcbb3655ab72016881adb86142e3ab70847957b6c346cfda0bfc861c337d3c16687a4d536179604cbace33c1b542b83cb72
-
Filesize
1.1MB
MD5408142150615ac9ec9fffa52a667cab7
SHA158e136f41fc5b754b0372e34679f41b4ca931fd9
SHA256693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8
SHA5125e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da
-
Filesize
819KB
MD526ae3250de71bfa48d208ce69a875024
SHA155f7fa5c077c38d7a40735484d2f5dfbc1827ace
SHA256bde48b660fc08d7b67ac42ca326a8a6f034969d9be4364241abf6d5e2c7a9c05
SHA5120dc4f0bd3bb52c0c4d5818e409e2a36e1c48b6452889160679548f1dfccc83633404b3226b58d957ac207c4a07938424ef10881cb66b9b3744be988ac130d95e
-
Filesize
897KB
MD52e3f17e7e9001ff7b7cf8ab412462a48
SHA12a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba
SHA256674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8
SHA512d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27
-
Filesize
458KB
MD50f9d5b39f1e45a83a5237f313aefb0b8
SHA19b85ab14d9ff9d1eb85f8cec012c8304ea09e671
SHA256eba9dd114e4d39f86ef1cd130beb094d697a782a4a134857ebfba12333104da5
SHA5129eb27df6915892c7dd745f53f59996a3994ef6b39e97173a1a048625075bacbfe29741d8677339938a7d27eb387955760a99246e154d5fd69751e6aac8ba0023
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB