Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:17
General
-
Target
6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd.exe
-
Size
1.8MB
-
MD5
41a7fe217d400d78ec38420cfb3875ee
-
SHA1
5cae6714e0cc19819e0c70459a3c25968ec554ff
-
SHA256
6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd
-
SHA512
f602730c3f65b415f06cf67aba5df031deaf8740bad21b4f84ea0e3573ee4d537fb3fdb66491659d2433c4606665e7f7124f12a260356dbe52397be170da93bd
-
SSDEEP
49152:K+0fsuP1/cLYWp/pS3A9YrkbhSsK2J//1:dHuq5/9Yr4hSBi
Malware Config
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd.exe"C:\Users\Admin\AppData\Local\Temp\6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JD6VH69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JD6VH69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hy5qA92.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hy5qA92.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\et3On42.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\et3On42.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uD8Lo01.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uD8Lo01.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB2YX25.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\UB2YX25.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Vm70Zb5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Vm70Zb5.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yS5530.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yS5530.exe7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3GQ30vL.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3GQ30vL.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ah887yk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ah887yk.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ha5KK9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5ha5KK9.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6tA0Xl1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6tA0Xl1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7th2Wd81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7th2Wd81.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63CB.tmp\63CC.tmp\63CD.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7th2Wd81.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x78,0x170,0x7ffa6f2c46f8,0x7ffa6f2c4708,0x7ffa6f2c47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11336060947313284952,10767229111037135548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa6f2c46f8,0x7ffa6f2c4708,0x7ffa6f2c47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,7405108966528682733,1669268788352202787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,7405108966528682733,1669268788352202787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa6f2c46f8,0x7ffa6f2c4708,0x7ffa6f2c47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5146811312685940157,11298155998304370803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5146811312685940157,11298155998304370803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712053063.txt"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regini.exeregini "C:\Users\Admin\AppData\Roaming\random_1712053063.txt"2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\bsibhhuC:\Users\Admin\AppData\Roaming\bsibhhu1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
1KB
MD532ba2396205985ffcee9d1ecb76b80c8
SHA1c3688419a9d4414a3de3766852ae4f2da3fddac1
SHA256c975aa07089a96b43bf154aeeedb5f11c124a4265fcd0c299b106005f1a381bf
SHA512e45be24b94b87735444797937fd938336fefce1ffeb854106054cd678ae155455f19556d8db31aeb9ab57d190bd5a27768bf9bb4ec7b427ef7bd669aacc2ac98
-
Filesize
2KB
MD5f6bf712e6e2482d14d83cb8434667937
SHA193d3679ecb513c54c90f7f025b2c05c3b25b6767
SHA25640e6aa63671c648a6a02badab731eb695c798370a0794301671c33f0983e8450
SHA512efcdfed964ec7359cfe26c323ab19e8ee2bd0fdb24f3cbfa8dcea80c2adbfb8d55cda8801e55b637bd5ad8c56c7e86ba600a6089a39ce5c194195bef0b44b948
-
Filesize
2KB
MD5065199146692c4e9beeb39f6af386032
SHA185fcdd120b77f77aa5a4d2e8d29ba8fdb5cc6500
SHA2569965a81bd0b1ab0dff285ad6a130f414df864f67e4ae341e43c0c21b7a79aec3
SHA5128ec042c00b9a7cbe98ae8d45e3bd09367493b595e5936c156fe4087e1b0f00c7c06e566c8647f1f10c10b882a02e06632228a4d231702eca0bf6451d03ee7d82
-
Filesize
6KB
MD5107563c8783a879864fcbe5198c5e3f3
SHA1f51fb052bd95145c5d49b77cd6a50cbf84cba426
SHA256292774e4d9cc33a892fc5165d9f4c6a0858927504753ed1de38cedeb8b1f27ca
SHA512be88e4ef687a5efc2b05843d1940e4c6e043718e40c8fcb07acf4743bbf791b1294281a014936343e1aee893a3756a92e97f8580083cb41f0cb0f5c87b59c7ed
-
Filesize
7KB
MD5e82e988cf72afd6b3fafabeb19d7674c
SHA1fe3e3563f78904ae4ef9ce5b0c5770b16839080a
SHA256e381781ece163cc172e06220921cfa4fcd506b0b9857c85f4ddfb84c37cf876b
SHA512e2e4a4c7d7e054eae719a31386edee12c8f7ec3ead1fef0e6f75a518a4d6e5b437371848f19faed0c995561faf5f59fa0f84c248bd17f745be92d4c86f20810d
-
Filesize
89B
MD58caaca6f5f20be7680f60021fca48009
SHA1abe1387c350e026aa5bb51f2b06b392467c124d1
SHA256c27687a49436d4914093d48badc9a0cf64df1e280f5205e81eda6ab78a7cfb2a
SHA512a565535645f77b5282275f2b11b35ff6cf7b4269b935f3a31a202c4f753568f2d35cc08cdd43782ae02bfc05eebc1c5509126060b1a082dc4104d07995f57cc5
-
Filesize
146B
MD56bec1fa7d1701eb25412638f5473e17b
SHA1a443a8def63de8c83d4e919ef71db9b6780e3eac
SHA256112c98a4eb6d6e74ea195da281e1575fd71474ee7b10c5a0bba253d0369b02e5
SHA51209cb658b4bef0b30274eba9f90c0fac2d9b091345ce0ae614f1d65996d7c54aa33a15af80bb7837b9830befdd4a7bfd76659c829db8f919d3b30b5106638b8df
-
Filesize
82B
MD5bcfc36e7dcf5dcd5bf777ffb7fa2a83e
SHA14044f3e97c875cc116ea743f6cc947fc1ecea830
SHA256d6586475fd8a2bdbe19a06a6c425add5f7744930e6937685e8b0c318a11d93d9
SHA512791e0debdae1a41c58b2dc80f692c9b3be3d13623f6ac148bfcc8a1cda4f3a854b9ff727d7237ebbf33c49a0774000c46e3e33d30cff1113f675c8bede4d7b16
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5dcd203878a1db68b8d50a4253c82daaf
SHA1c2255c9a50522f797d6ea2c8ef53a62eb6e7fc30
SHA256bee7b040c42613bea8e7592e3eccec796e38618a77e5fc60fbc5d20210e59d17
SHA512e09bfeb50f3d60222aa7b78606020330094d1d561f63d45dbe11aad76c4b82642071001acfdeab1568a8b421529b4024822aada3552f1b324666598ba1572196
-
Filesize
48B
MD528669833ae9fe095053430d668f9908d
SHA1db0d211c00434b3ce2838dbfa7fbab43393b9102
SHA256c328a5cc2820a6f705e70b25021f9c2a790f23348f3d6cc68799d069fff2deb5
SHA512daa6d6a1ccc7bd6c0e63c92eba58cb18927114e139e4dec32c4355fce73a2a5b726ba6b9cf5454449c7fdd325e72607835c7d8ea97a1996b5f6e06d94eda068f
-
Filesize
1KB
MD525319d799de48b6979957a37e19f54e6
SHA1d000946f75296e70fc0a8470cf1f5f91a5a2b9a8
SHA256bda5f6bde92e6657e28ccf79ab5b7653e05ffc4a70388e6a8f8236a63c3bc370
SHA51240e54c9030228648a4d3a92eeea559fdc736dea4211fadd0db64f05dd455fc32c8ae1570685c2d18fa36b83dfb80c229be71675b3b26d00c464b320dc4e8fd87
-
Filesize
1KB
MD561559352364cf9423603be21344e0798
SHA1de2304efe5d90179c6471808d92283bfceff7de6
SHA25696c564a805bd72488ab5c1f692b773079d24c47d3873a78e6ad2244ce4d48708
SHA512b46a69e761a854d9a880b68086d5d7bb194794d867c17ef9367930a35799b70eb3e6ee54b08979eb042d8b572aa9ff11b1be03da91888bfdeaf382a906181efb
-
Filesize
1KB
MD59e4c4f532baa6f82dfd034b0ab422dc8
SHA1556d1afce88e5116a0da970cce66e46855bb1a98
SHA256db6d4ef6c1af3bcffd9ab208131793623958795322aee62059cf8486292ba94d
SHA5126a8858d5bc9abde251b5b555c52bf2a06771bcb167af710fa5a9f8796ea1d9e7aeb8af240691a5c2bb1c648f77ceb470bb7787499f53f2963985a37d8aae207e
-
Filesize
1KB
MD52125fb73a0e65548ef395af852c81c87
SHA15a4a71fba4bdc75efd5f06820a88585bb1794701
SHA25673075bb9c021c5c2881a6710c5944abdf2574b59e5dd32ed9d5d2c4e092ce912
SHA512b2d2c350cfee3739ff12cc448cdf87ef43980ff23b009a378ed36712878da49f7473c7c1a6700fb3436977b827928bd76dd6ed7ebb107eddf012a73d49458eb3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD53bd90de9b44b237db94933568d439af1
SHA1b7b1ab74bf161a99f71713102a339d51528d068f
SHA2568c25adce89eb05ffce1cb6f7f52dc34ebcc7c86b1a110e660744c2c2b71878a1
SHA51266262da96f424fdaccf3bb0c427514ecf94e71a18e47b10d25519b2292323f83ef833fda26b3f38a6df53b20588d777e2ac916c383d9a90312ae952a9106a2af
-
Filesize
8KB
MD5659139ee924540b804810d8a1c04a05e
SHA1a190863cdefd16a69f63c20dcc50e26c1d0b9e37
SHA2564d23a3201f93d94ee5a77c6d4e836ca48f4fa34ff18815a1c8b546b4fcf02fab
SHA5127d28e4554351c0a26567f6bc9a1881108a32e5025308dbcc9d67764e64e0ca2a45e82daad94ba998eea23f696ad7ad8a33511111919e4052c92f3436af60d9c3
-
Filesize
11KB
MD51df38f581cc432c4772756b1f1ff859a
SHA1b90bed7f43c79be0eb35351eba86e2215b9a5a9f
SHA25639ef08755f47b237df26aa2c7cf1c53d47593b2682be5e6d06f71153866231c4
SHA5127ddd952b8685275b1a33f6a640fa56e3ab59d2e32ece1b749586470a79f82ecfca58cabdbb48c1626154a223708a99038a78d59cb6532a8df1cdc66d2da35f18
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD52d69bf07ae76da3451d2c957842dc3fe
SHA1c0fcd3521350efa09b99b7fcbb31bb0d294ad6b9
SHA25670649ee5239754edddd4eb5a6ed7dfbc5bcaba88f6b8f1fdd06a3206c1ade44a
SHA5125288b355cf48821f93221653797a1f6fceecc252d92920fbedfca6c519ecb444cec25b77210f974bd4df6f46d8341482afee2b4a6e0bf1dcb33bd86a58723524
-
Filesize
1.6MB
MD5c5362c791cdbe5eee2c48ce80c0fcab4
SHA1c61826e5031cdeec819635935a40ff0cd90d16d0
SHA256f9a6cfdee1e42358707aff0f1005501cad63bc05de250e0a03b10a0ea8ee4b65
SHA5129ebf8509b055c611535718a81e311293b1e4b328e706b2d7386c15d89fd9e731d30637169361a83a3c388620c5aeea287b10bd3d31a961150068ccfa818605f9
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.4MB
MD5f99e9e2e436e97c1c0dd38e3f6a3e73f
SHA16a61e4608f919d096de6ed0aabcce33cd973ddd9
SHA2560b47bf2a002b2a5c9831f73d74ba4b57028f5acb0bc1c58f6cfb49eef8723b3a
SHA512911804d5cfdd828be8eca446a6eadcd1f02d314492562e23c341fa091edd11b2c83800042c62b30c164fed492da308430a1395de1f81844c8b4a5106accea505
-
Filesize
1.1MB
MD561ca2350464bcf0206a69009c08d0041
SHA1b41e244bde8ea03142e52b8d35546cd583787fc9
SHA2569fc78d3ec7ec341d8477b853176fcb9202cee3f05ad23c52ea724b2413beac6a
SHA51224d91c1d9c41d4488ce223efb1726d65e60cadb06ef2d63686206d72bd598b6706ea0d743c25f58ce7e450a0f05cbee59b1f62f3e334c108711ec8cc23cb3391
-
Filesize
1.0MB
MD5b12cd7993e03cd68845dba5b50ed8712
SHA16174c36b81b165f0544fb59c16cdbfd4d4eb15b8
SHA25640884660ae3fe9aa5676afa07c5d7c0ccec839ca85dd3c97d913f53133f6284b
SHA512e5c802b6a5299d986fc34701cfee0c5a84caa37f106845a96de9c696b2723a85283351c0b013dd26ced76246602e059f70aa80c172be953cbece0fc81aca17d8
-
Filesize
912KB
MD5f012e9bafbe64badcad49d7603b80e14
SHA1cc7ba7f46e6b62dc5aa23b451ee2137f1ff40e1d
SHA25663cceaa1e59faf5b4f9817cf9562c057169296db95e005e4df3bd7759b1729b4
SHA5124ee86d2e8c25b650a20af549481d2dc12e4e2c48b76bc81140aa14886949269b7ec85b5915a77bb4cb6672b6a23855ba6c797a8d65902ed91ef4d288726cbe35
-
Filesize
696KB
MD5825f8b45af5bf949d0b1c3df0af5d93a
SHA19c5e3135276972a295f5f2730b1abd14bc87594b
SHA2565b0574dcda26f870609e83f6ce0d46a870af75db70883e5cbfcd5572dffaf7e5
SHA512fc897a2a3e4b672e498f94db47c04aba0ba050ae72aaf4c3fc65095c274f41e55ee8ee7160167f3d847d1d1cd643f6213deb40ec506313b624e27940a5dbe3f6
-
Filesize
889KB
MD5329170db7797a04f381a1d79d2673d16
SHA1e2d5070a1538fda58e8541000626c1c977cfc73b
SHA256ca1f2672edb00f4ddbbc50c9c4c9d7214cb71e013c1c4a4d40c1850b4ec29781
SHA512d92be6a777f000658cf520d85c9f48e08b1bf3095fcef0e3bb02b6b608ee021138202f9a5692a1741835627390af4adbdb5667c0fc43f63f5d35b2606966eb8a
-
Filesize
354KB
MD5700d574e771638878de8b7589d40fec6
SHA1954f6f31854df10518ce84718a64e87bdfd8f4e4
SHA256c2cbbb1d0753aa8e040b624c182a7064c7a519bcb6d7582dfb0dc508624d43dd
SHA512575394f351eda08ab1c158fdd5dce61dedfdad874e2c82b4a1adff1872ca879f6acc7d0a550d84f2a98c25cf89ce5ab4241ffeba687b8632b65e0460bd845b8c
-
Filesize
265KB
MD515fe972bcfd9189d826083838645b850
SHA1d2bf7fee68e358fa71b942b8ae92e483536abf86
SHA256ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4
SHA51230f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
78B
MD52d245696c73134b0a9a2ac296ea7c170
SHA1f234419d7a09920a46ad291b98d7dca5a11f0da8
SHA256ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930
SHA512af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB