Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:16
General
-
Target
27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b.exe
-
Size
1.5MB
-
MD5
69f0e28bec8c54582193e0fcba98eb02
-
SHA1
d3b5429e2e893d5d396b34850db6837478d9e3d3
-
SHA256
27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b
-
SHA512
34328811bea578e362fbe140de3ac8b52609f7086dee3a1cdf03baffe9af45d06c6324f18c4eaa5b09b986743fd7cebc75d0772dc6e4f1a1a5695d61f5e226df
-
SSDEEP
24576:ny/pd+b6pubFWxEwxa863VmXVCzFmyXOl7WLrnmr0ZdRfsJ1nK5YzkRY:yhQXQCyD1CBJXOl8nkMUnK5YzE
Malware Config
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b.exe"C:\Users\Admin\AppData\Local\Temp\27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ms6ON49.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ms6ON49.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZU4gN16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZU4gN16.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oa4uX64.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oa4uX64.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qd7dS56.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qd7dS56.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oD91DD2.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oD91DD2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zJ1462.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zJ1462.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3gM30MC.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3gM30MC.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ye379Rf.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ye379Rf.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO4fA1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yO4fA1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IX4Cn1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IX4Cn1.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E20.tmp\4E21.tmp\4E22.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IX4Cn1.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa7ab746f8,0x7ffa7ab74708,0x7ffa7ab747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,6922100700946723604,17619787397667586386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,6922100700946723604,17619787397667586386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa7ab746f8,0x7ffa7ab74708,0x7ffa7ab747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2107958968443054406,14173689452478832279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5092 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa7ab746f8,0x7ffa7ab74708,0x7ffa7ab747185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,4906220781530913178,6986209060575319239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\dgurgfgC:\Users\Admin\AppData\Roaming\dgurgfg1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
1KB
MD5071b15c5e7a16333dfb086958ae9dc0a
SHA1dd7c6b9633d432609d4499ccc97572592b3610de
SHA256316212f9d16e532f4a3c6e4bee6b01ac73d71380aad875c25597240975e21b01
SHA512e706ed73f9a053333f9de9900f2cd9d92812632f9580de5fb4792bb53976fa1a6356ad67f7b3a691b4a25b3100d460056c2821a2d5f71a7e494fad3d159c3c3f
-
Filesize
2KB
MD5d9688c9e13326364c738107121e7e514
SHA16919188a616e4652243c6d064216f1706d3e9aee
SHA2567adb383a68e4878daad68f71b077b9749d54cd54eb12e100befc20a3f5ee87f9
SHA5129fa8f8b5ec4b4c25c3ad21e4da0d861a63e43a808e59d8e99ee6e23216457bc330b7a8e59c8efb7058cbcc2f78c94234217f7911aac9618f019893abea332c93
-
Filesize
2KB
MD5d407e1088036d7c5c0a094c4c9c93489
SHA1e6f81035fd33cb3339b9e4ce35cb5eae6831768d
SHA2560c7b6c453e6c98c1a6dbc2a356266e92e021ea318c2c47b59a8cb4c9630345c7
SHA512d5b8bbb4fdf66f4069cf0f02c9d5ac8d1ede610904ba27258ab2639ef3cda2fb68492f6c3812b4ad4854d607eb228415beb0ddbf29511af5233f467da893caf7
-
Filesize
6KB
MD5c0c68f7c8bcc9ca1485ccd4996927e07
SHA16264c38ddbd726af32c44ba290bead685c661d6f
SHA2564cb4f7b36f20bcbe304e94469192239b0b34f3ab77b1a232909ab570bdedf51b
SHA512bf24b8a859f2967b7ec3dfcb345400de059a2f58f050646826c97f153b74e8b0682d42fa9bba5ea0325d2ef799c81418c1b210d58a7a69d2428b15856f5332ac
-
Filesize
7KB
MD5a7f8c130aaee3d76a2348e82afb3b928
SHA1013ddb7a08d67005666881d7005dac8ea876dee9
SHA2567a9bbb9b079f293758e4cc45a578fca3677d35d2c14470fb338f061fbcd29fef
SHA512149ed18a952ad04b86da44438037c62df1587f73da008ef0f0fe1f18b1de9674f7e2118885ebd71a1a58cdd1ed96c24754644fdd7e94090de8bc6ca900adaab5
-
Filesize
89B
MD57f0ba981c002fa24bfe270849516e704
SHA144ae1b5da9029cac746ecda606b055e1fd7c643f
SHA256bb5938b8a0600b3b26334df9be3e2694987d011e0faf4bb87cb2bc39f229c244
SHA512e98d4d92ced507898a47044ead14efff26e9ee404a09adb4dccc07d4a410e279fa8d90a96f0d687070057c7b4a90b68f5e4f54e928259a86ef9a19bf23ac20fd
-
Filesize
82B
MD52976dace18d06963f63b298e187484f4
SHA1815c67927b8de31bab29f53bf21952093ff6b842
SHA2566212534ccfc83d78095978319a0cf1705d6923e407fe1a50a60ebd0c83fe69db
SHA512d5b727f8ad8e5dbd89d13ab847ef10b0e83b5c686c7ecb230d62e320cadd210dc25a8ece2f0da134ea39a16c7d70550eff01df3dff3b0864411d250f353a3c38
-
Filesize
146B
MD51ffa1a6106b71fe07dad901ee33c0f10
SHA107bd89888da1a6193ef3c32fa49e67af40fa682a
SHA2561b7844f2339b1df19cba9bd8dd7e8db6c15e99b7559f4393e99be80e21e37c1b
SHA51227a41f6aaa97fe48281536613c33d864e50a6a59aaf1159d26e079ff506f172149b9f29db0824be424f4b75a0ba81d95a005b5048fc314fdd6da893209e7cd8e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5d6c9543e81a1b4fed11f3a2c3eab051e
SHA15ed35a6dd5386173aec201e30100bd3f25f7b289
SHA2565ff8bdce1b5d833c3e53cfb391388fc9024890693f85b7f3816f137eefa90def
SHA512858b8ed66cc5e61cc9ade6df7b5d22b9eec0c32d89d786efef9cedac9f2807ed6e3e157f0618ab695c48cc95dd1bcb6cc4c98883494423c06543582b1dc0d700
-
Filesize
48B
MD5388bd23146515584e7f627a66209e6da
SHA1f616917a2320cdf98679dd0805a69f2a5c051aae
SHA2562be1f642202b831c2013e51bcd5ae69ca7849dc8eac826448c484e93c762fc17
SHA512f9f299df692e2ae06d3de9e2611618ed7092978a05ca279014b22180dbb8ec112e8af8cdf14a2b2df5286986c4163c20eadc7309832994902e008e32c8df0000
-
Filesize
1KB
MD5b4048d1e1e28ea745111d0ce51ed7ff5
SHA1cd1f3b3b7ff489a50441abdbccc9c7737a2a0eb3
SHA2568332f07985222ca93c758cecdb27aa624fda6606a7fd50a173a567c995f3b8bb
SHA512658e257b76b192a5e696471e141791d400d3ea49dd9731438f469296f678aa668cf88426f72082ceb5790b24293191019095b61156c9f479fa20af5ef4ab5d7a
-
Filesize
1KB
MD51f2c462245cc3518326ce0f54526c5cd
SHA179038586b7d8cc8b40c4a6a63686860d2f8abb54
SHA256c555df92b6757587609ff47e0c2349616fcf566f379ebc3fbcb599559a658af9
SHA51277e34ce77aa08c85b9104a80df23e0cb23a374e54f3d35b121bf754d5460f6d8d40bc93b62b45921a8cb58aea4c77a9e4f925c070b2ff36abeb91f8029ea0552
-
Filesize
1KB
MD54bacb783a66baac8ea4846648ad5d32f
SHA17d53d107b43f6e354fb1118944b8e7ddc5af9e0b
SHA256bce02f25319eb93541cbca77b6e6bc37a5f0aafe28fd2d84e5058d721547b4af
SHA512440fc746bb92cf50f38a27aa91d6f75fe597c13ee234fc0d4dbc704b1f8c550f6a14ca914a960197094828dbed0fb7d82338c115f18ab18978d9cd5db568d330
-
Filesize
1KB
MD575d5753cede6087cac9e427fc1ba00b8
SHA1c11252fe7f6273333befb237a14d7649e866ceb3
SHA256e6992e8b2d7e891d44b6ffd253ff0713d1ff630e77700d5202d759abf57600bd
SHA51263a82d0253c87531e51e238c89025cce22a3d2ab2b6cabcab509555314df7c84b84ecf4d010e5c0a60ee59a200ba36c679832b1e387006171c0b5388aca9d03f
-
Filesize
1KB
MD520a5eb5f854ce3d7c89fe2554fff0b4c
SHA1e4c9fe4058ef3337dce3e52852398a97ab1695ea
SHA256cab6cc148f4e80fde0eedd60a6ba9a3ed28a9d2157a3b229751c5d02b697d816
SHA51274b6c45740525f6ce8381d823bcbf2555ed669862105329f5c204050d20cbf8a26c9b357e202fab301d7297c6a711b8efeaffe07cb77ae57d5ce59504699d600
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5cc1573aa75ed30ad011b1c93e768d898
SHA15b92760809d22d2fe07e63f6a993f7375b9cb3cb
SHA2567e72bd1faafbe7bf496fbeccc225e70a040c1f0e19bfd0a10abac4e3481fbf7b
SHA51244d779f88d38178d88e1105b3765b2f593bc5f782465afc6a0f78a607ad6a825defc25f895e7344e4104fcccd97c55110c9d3839c2b7a35d4543b9c962079f60
-
Filesize
11KB
MD51b2cc25e227e0493061c3dcb7ff6e41a
SHA10d8eb5b43dc322559ae74fa55e0a51c3c76a836f
SHA256e80b821b46a3cbfa60e888211ada47a7c6991f0151e60b376ceddfbf5f52c4b8
SHA51246b2811754b5e7ed0db9c8af178ebf1dfecd3a7a48a2e4f9e0b78e8b94af026c94b5f4258c6c476e7eff13367642a19b8a58391d7df0bf9b1b405647f9f16b26
-
Filesize
8KB
MD57758e11faf3164349079c162ef8fdb73
SHA126e752340518a9bae542261e4403dc315be4fc87
SHA256b3e30419ddfd5dd7246ed1fdeaf933f3cc6e2bb6f637929daa648384e30fda4f
SHA51290962735b9a9db0a7217a2747d3fe6f2a3a15ef6c544d5508f91a3a3229c9865772ddaa970ff31a6686456d7da4f35ac447e1195fd33c95a854e4e7fd490f449
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5338e2f443ba3cc69872f9a7d06c75b02
SHA1866d197084ca7f9934d41834296bec94240f2329
SHA25674632fe9f8cef1181dfa7ad436c12136b884660ad3722befb25e463b03d6a9fd
SHA51259a38696bb344b60877f8fe676949dcbed6557b7b6fbc3cebe9ac8a8a459a37886831357633ef4d4ed895c8ab57303ba9a3800200b12351c84272e10f6be43f0
-
Filesize
1.4MB
MD5a5ab169a50c5aed8f5c716ada82e4a0e
SHA1cf5039904bd4d7025060aef31279f182459fc18c
SHA256571283e4d01714cba84efb6844d4b13e7c2997ae12ecb8c1813614354fa982fa
SHA512beb33dee88041270004b5f008bb2b79a86efbc6bafbee41923aefefe23462bdf2656beeba79e484f0fe02a969bfd3a9f2ef3ee6c75f5c810baf45aef7eb2b2e0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.2MB
MD526ad6b1616b45802082d4f33c9e2a5e5
SHA163445c1b3752c0e5b8c0fd16cd24a622c0f9f3f0
SHA2564dafb787922fbf45dda4479f49d780cb38fc0117925c91a9660c9b0508263803
SHA512b49dbd61e3eb724578b578ada1d21b350f264789a7b0c4b040200a336f79f9f8ba5d4443c2f5b4c05f0b3900d30741b6bf8a005a67f3e014cd96e68b08f44378
-
Filesize
1.1MB
MD5408142150615ac9ec9fffa52a667cab7
SHA158e136f41fc5b754b0372e34679f41b4ca931fd9
SHA256693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8
SHA5125e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da
-
Filesize
820KB
MD5ac920b3013e112882821d4ec8aa6433d
SHA1764c3301b12c618874bd55d6610c07f615f0d818
SHA25601cd164d6183136ab4eec7925871dfe04cc4958569c261544c6879a44e2a2abf
SHA512f91c061c8d8a38a57ec80d75486f3b74d41c39975ef0e8abe7ac4187837470381a037ab088a05d9a0cfa56f33d9fbefe83ae3252931a99097a503df116662a25
-
Filesize
897KB
MD52e3f17e7e9001ff7b7cf8ab412462a48
SHA12a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba
SHA256674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8
SHA512d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27
-
Filesize
458KB
MD5cf0fd9117d69751e4d41cec93d761f09
SHA1e2d50747bde1f1c067e70e58b23c171f66b84ab3
SHA2567cd353dc40ad54ffb47cb18b52a73f1b873aaec603442a93b1cf71ffc23f5de9
SHA512715ce3058c6a531079f4f25f69cecbc23104636749ca751e5e21d6f1b4258ba97178cb48bb2a9cfde82d0c27bf69977a952cdcaf9830c5730f14fa812020caff
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB