Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02/04/2024, 10:16
General
-
Target
326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c.exe
-
Size
1.2MB
-
MD5
b086189007b4e0cf08063542a96a8aee
-
SHA1
4c40dde0e25fc2ea893a54334649eff267f3186b
-
SHA256
326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c
-
SHA512
b0654b6d76a9084e53120e155f1f75a7bdb020be07287388e41d766d3ec91aec5cb377c731665af4ede4fe6ec6e33a158929a4d4681a877b0a1ab886c5a0d25c
-
SSDEEP
24576:kyFXCc8RaNMhF4dPyoYp+VdSsjndO4FgOy+Tql7+4fbMi17IxD:zFR8RaehQyFp+bS0njl+lq4f
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
supera
77.91.124.82:19071
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c.exe"C:\Users\Admin\AppData\Local\Temp\326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xc6zG71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xc6zG71.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK5yJ48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK5yJ48.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fK1oi16.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fK1oi16.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Oe7RV38.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Oe7RV38.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iy99Qo0.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iy99Qo0.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lN9859.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lN9859.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Qf91VN.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Qf91VN.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4OD127Wh.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4OD127Wh.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5SO5SH4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5SO5SH4.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ws5BW2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ws5BW2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D6F.tmp\6D70.tmp\6D71.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Ws5BW2.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbd7446f8,0x7ffcbd744708,0x7ffcbd7447185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,9369415917969907222,12172421783846054567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,9369415917969907222,12172421783846054567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbd7446f8,0x7ffcbd744708,0x7ffcbd7447185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11960255290966943696,17154113185605492532,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x78,0x170,0x7ffcbd7446f8,0x7ffcbd744708,0x7ffcbd7447185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7186179172331821021,17918173817415115767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7186179172331821021,17918173817415115767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
1KB
MD5538caf26d521d6b85e0c07578e4cf1bf
SHA1959cb79a02138e749c3716cf840610797b27a041
SHA2562384a841cdb9a0058ed7e9589c972f0ca9d34b36f6df86143554536579972ac0
SHA512799998b42d8b069fa8a7aab47ad3f85dff5635877f88ca16169e68fc3e33cd60e26cbd0e571a7569cc9500dee4e619e5a6a2a1e76120e4ee596a2672b1196231
-
Filesize
2KB
MD531bef0c331f46c645f57e589ea8a699e
SHA12107443f8ba75e0a3a8cfee74e99762626e74b79
SHA256d65d206142a2bb11d3195d4bdb04f5c835700c5864e435e0cd6c221ddb834f50
SHA512fd8820b7ea98121d48bed59031cf3c35a21575ea5a6bf6da9e3fce55badb7857d9975ec0e55a674d8ef3b82557937f5865f2f03d45ca15cf1485f11de2917aee
-
Filesize
6KB
MD5665d1993001639eb011119dd70b36fff
SHA18b5661f148b712474b7862e960c1358d0a2bbabd
SHA256234f6a16300b37969250b869f8f863b445b863528eb8a614cf56fdfe2ed7ad53
SHA51207da2f36ac38bee1158957794dfe5e1cfe2c36195e69e0e8e3d8b8769d93298128ac94946ee9030028feecbc4274a00afe7309f91668e0d1b5d8c5338af1d268
-
Filesize
7KB
MD52274748c6f9e8e82b254a83b141aaed9
SHA1be1deffb0697b9d4a0a907f87fb749701ba42cac
SHA2560f1af4a31593b8a98c0d49ae9859920cd291707f8a3e19b0eb79220561e9f97e
SHA5120b70aae1cb131af492985edd39520d1d8e8e2a031fed501b4de3fd9e2f206e73bf9b6d0ab1870053a11531fa57e213ea1143c25a19248d87390c6fef4d3978a2
-
Filesize
7KB
MD5632da6806281f682889d1aa5bd5e31aa
SHA1945f44e22c05357706958589f881b23291845d0b
SHA2564ddce1bf3f21216c6fcb8a4692f7847391c998f54f890ee04c6e7cad83a04d6d
SHA512a6896d3645717f98488691e3a24948bdbb136cf101230632d33c31bdcc3d12ecd0fd162cd9e5b801f0e132825eca0034299cae85d7ade97bf3066d5050fe98f0
-
Filesize
89B
MD55c5c2dcf6d13d243dbd03285b48d5912
SHA1a03f6fab8c1e90d15444e0c227a5f5db338e0872
SHA25614e4317d9052c5904687f43d421c2c996b4fe8d6958729370013340ec98e5d32
SHA5123fcd34adb8c087586059da882885fdcc5498209078c20e5e8b4cd56deb471b2174c9e4ade3e8f1e7dd4bc8491b1fd15838a74070c4af55e85e056b01e2a4c688
-
Filesize
146B
MD53398509b658436764efa4cf4fc3bbdf6
SHA1a621c914e62836d2edcea822b5a56e96bce070e0
SHA256ab94131dfb78db176602e980c4601ee7f097038cb03ee292f0e0070c3782f4ea
SHA512d2cebe048204dd1497b143a006c1697701ce9c623b16edaf786108b411886450024841c6eb18e2189c365e2e5c4e517aac25ee96aede36fcb3edb5f4507fb5f4
-
Filesize
82B
MD5753c1c904fd497fdc2a3cc008b5993a6
SHA1b8af1927b159cc71bb34c44eec9c43c3886add2c
SHA256a383e942aa6d770ceb7ffef4709606491f78656241a204e8a56ce382df3deae3
SHA512cf547f482c2c07078dae3175a23753a75028b4ceb81266644db6ec6119832dad3f475cf2fa7164789ee868e2990784f3c257fa78f8da7c74df3d47430f3625a9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD516d113e6133451fc49370a706e17d84e
SHA1dabdf105918a3db59ddfa91275530ea31c715dc8
SHA2562f57fc2075f2898206cbca69c7beefc519fcc7a20cbc75ebd70c467618bba755
SHA512da6e6420545ab45a099a2e7cf7ce8d3a794e9b83cc7b30f0608b7d24ec0470d9059fd06336f329f1b57929d41a39b14bdff6710476c19ee872d2a7675ab9e8ae
-
Filesize
48B
MD55d745fcc4ab6d1f57771042112f01d2c
SHA184f89ebdb86b64ac8fc22ed6711e46a8da4f5688
SHA256c939428e453961cc27130fcd313d26347d22d734a510275f8839152a6c17dac2
SHA512d9892ab9ebe99bf8e503f61f2d73bda1008527025eb417ffbc2d5f0b7be83d87887000e751e6eccfd08416958dd475714321536f87b27cbb072225293872d548
-
Filesize
1KB
MD588d4d708fba35a74c30c522b90a78732
SHA1a6fb1f02d83ec8969e50fe9aeea484648677533e
SHA256dd902731f2047a03dcc7e307b882bb77694f06f3e5f3b4e295cd011c12176e13
SHA512e054e848d61aa8285161e56e6a4f364f93de02fcda4cbde90d5e6bddd50ae2b212a7ee3ce7055434fe1d16a854abd5b657dbede0d237b095ec1a4b0fc5ea400a
-
Filesize
1KB
MD516dc42d56db1f3030ff1935b28af399e
SHA19a089b126d22af99f8382a7a72cbf152078dea3e
SHA256fc4d79358fa4679d6df84bc02ac23d364db26cbaefc2c41cf9f6a952c4d0cd83
SHA512cb47e6e844f3c9b35514673ce2279ea947c6eb9e6872f0ae46182c540836f126d3ac9b25441b9e8769dd7570888c594ea8971cd78c30409c2f0215db1ed64173
-
Filesize
1KB
MD55009fd6ac9d0702cfee851758c5f432a
SHA1a3ec3c30463a63faffead70bcaf6bce38318c3e0
SHA2562f4c9b730a10fc7512c9b197022a8dd9b78670b2b5eab795d5832685a8a0713c
SHA512c988f7fb8ddef79235d4c47c17dfd947d66fd271833cb69c87d4e9db8032c39d390264414de09a6cd35704842d8320c9a38a80b4e6290d8be86599cecba5afe0
-
Filesize
1KB
MD5530039cfaf45f47ccde335919b7fa907
SHA1f2c36675e596b9faa6e535f46fcb39bd54c49628
SHA256112720cb47f001581bd80643b88ec4e5ecfc51d88be2e5a704fc29c64f9a92d3
SHA512c75690543743888bd1666af9bfe32ec988dc399e6d4ab56e4a4017b3f5b9b8d6066b36d10ca6251dc012cf26830d0c1249010a0673207ec58be1d86bd09359d0
-
Filesize
1KB
MD5c33c113bd93efd8197b37054fdd563d7
SHA1ec23996eda93d9a16ca9e2a0af763e7a4615f8bc
SHA2568f3c0ae7efb302f5c880d4f17ba34d35e2fbcb980285d25bb2e09310e2b5f707
SHA51232277e89e2c9d3c39a637cf5368e0cb885ea81e73b1beb5c2a076f22e870aec29c78e45b66088c7c25109e784a0369f3331e19f4b3bbc70c4e7d8ea458a39efb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5e0ec8ab8d819c017900649c1a0b46a88
SHA1755ed8fed0af453743b5ef8028ad3edcb476592d
SHA2568970be335bbb8b638c29fa9c9fc9a0e7fe1789eea1f75c9521b9699776a3cca5
SHA512cce16e24cf4c5da6e7afaec03384211c4c55cba61d529594de47369b5ec5a1c19d170162c5dbf80881cefbe953bc94b01ee0eb8a2eda76e75e481f139290b137
-
Filesize
8KB
MD539242ee1449622ef34b10b9a44cadce3
SHA10e8b1f440c98c52f70ebb89d22f544cf2efcfb1f
SHA256e9ce38f3b62395b8d376fa8b443488076d64b08cab5db29b06aae4350fcc7e9d
SHA5128203eccee218bcbcd3b89e75581ce89e7b0599b3c4055936504e8778f06d6c52a095e2c122ed5f52a28530d786dceae4854f5790bb558abc945221b485095c21
-
Filesize
11KB
MD5738892dee2e022a713148052fafe2484
SHA14b921cba09c10f85568d3c8f822f8bddfe710ea3
SHA2566627bb8cdf9dd2448192785d545b0f7950e3512d6f980b4d094f1945752f1e9c
SHA51286c72c5e2d702d59ea52d642ad4225dfa4c8440e92f217f51e8844dbce41dbf7d87a7abed210ca7680a7abbb5a282eda46586995ae96d0f3701aaa9df0a91594
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5fc8ad48989b88db5999cd30494ac4b94
SHA18f22922bea362df5b00cac24d5cc8ca9ef9676b1
SHA256f0a7d99b2da652e934ad54e1f8281a2b52f23b4f347235fd4194a03695d3a244
SHA512ae70c7c2249c16deb146739e9cd4739ac2ecdb49cc19cde40d2209557b0f5bdccd785167176a7fa0e274ec550cc0540d8d8b2702cdc2ae4d577778c5cf12d5d9
-
Filesize
1.0MB
MD5876eb02e18b0798b9567900788f92298
SHA1049a90b9bc99bbc58ee5e5ff1fd61da056e8dc5e
SHA256ab3279185051677e95182e7cb54e4caa75c751fe7168dbdee7707fee338db6f2
SHA51238cd4fc56f446f7fd96d420967652304aaaa3de2dbc838f3b301671e141a77dc4a59ac2f25eeaafe195b96e0864095590e4181e427ebb1c6134befe638201187
-
Filesize
884KB
MD58086b124107215fcba5ae0826c3b443f
SHA1e36d184a16c39a759bbb3e8cdde00912bea397a6
SHA256e2450bf7d90d8948e33098bbad43e7b116f3fa974c6c8f4c07c7ca964e6bab1b
SHA5129c486585cb84bc2c7944440d340b3f8116f6b33994dd563a1e93e11516a16306699bd30e45a4d468c4eafbedbd8dacf6134491e7384ceabca5202dff1021fb64
-
Filesize
460KB
MD50e52221c4a341d372ca07f35c468c100
SHA149e30a72e4a3474dc140460541e561ce3c2be9c3
SHA25610b6c7a5c4b8833664e6c07ea6d93955403fb7a0947d5a2813c2d0fca5605f57
SHA51213fcd313ef8a376303ae5800446899f503f4643297c54299ed4cf9e51b6be3f29806060ae25159b699ff436aaca61612df476636f8a122da8ef323022ecfe597
-
Filesize
597KB
MD51f03afc1ab3bf284d198d1694812c66c
SHA12d1b9f98d17ae1598e645ae533a2042c5e417181
SHA256e7875d7d08defdee2484a4da0076c3c8f13d3d2083dc3143195e4d15d391c703
SHA512eef7027b8ece8a7ed483a43ec7b5bb31ea09b4f44fc160a719ddc0df0049754a0a4e98a3bab86ef715b33b3ad050444504e1aac81e402b92f2c94fa6e0d49ba7
-
Filesize
268KB
MD596068793c83487082af0133b2d4224a5
SHA13bb729697ca03e5fe4413449cc5099d5f6c23f9d
SHA2561dcd81548f1ce254d02fea56ac97f7d1a00bac5e04edbd7cd613366d57425af1
SHA512b0a3563898f6de519e3894fe087eda7431d89ca68bf9d8abfb2d34f15d60842c28f1c36f9b55b3de8b9bebe16234a0e5443beabfa781be14674da3327ad85e84
-
Filesize
360KB
MD5b37eca71ea38adda628c7be5772d09fe
SHA1b82cab8b40fe094b2dad08c93396aacc23e20a34
SHA256dbb75b12b3514c86759173ab99378219ff1188d9be91e86663a26cabca7f91af
SHA5120c6fed72e4b9b33afabe08b01280ff980325781287b19eac10bc0cc533721ae2f8a216fee8ba7d1d258468afa94a27b3b3eb8a2783c838a44dd6070b6eaa4cfd
-
Filesize
189KB
MD5caf63a774b50e2eb015be1e12dd28e35
SHA1e11cd284e8df8b958ff6a90054fb238bf41013c9
SHA256a2a2ec27e07ef5d314adbbff52db15838d300f920896085e876c1050fbdc1b69
SHA512003357fe8c5663b21443ac013d7a5c00093ee5865c8cffa48bae71a48c0dcd79d914d8110c58b3c9faec730977d5d265b68042d35150a8e595c8415abc38e737
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
128KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
240KB