amadey | de31b21cb75660b6a422a35543500d06d4d5ede83ffb4856298616784432df3b

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe
Size

1.5MB
MD5

7f5f4a01766ce8e3a62e2500295b4f62
SHA1

207274b60050750baf6acf9ed6ccc0f5190060eb
SHA256

48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa
SHA512

5530031af67a5da6342a989cee9ebfb9551e83bbf7a5914ea388aff4ef7435935c3ae4a15600578d0a2c1cce37472f3f8a20c4a7e31e510a6379fb780c8ad223
SSDEEP

49152:6jh3gXlMsVdcsGlohngjhJflpaywgGxWIQ72:e3+lMsVdTG6ngdPpaywNxW2

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002336c-37.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2736-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	6vI3Zs0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	5Km0he0.exe

Executes dropped EXE 13 IoCs

pid	Process
4784	Hx8SU86.exe
2572	tN6wj69.exe
3236	Mt0jJ90.exe
2384	bt6zC43.exe
1660	1dJ90Nv6.exe
3872	2Jw7226.exe
2856	3VF22xX.exe
4936	4Hi545rH.exe
2232	5Km0he0.exe
3200	explothe.exe
3380	6vI3Zs0.exe
5204	explothe.exe
5912	explothe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002335d-70.dat	upx
behavioral1/memory/3380-71-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3380-79-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hx8SU86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tN6wj69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Mt0jJ90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bt6zC43.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 3204	1660	1dJ90Nv6.exe	102
PID 4936 set thread context of 2736	4936	4Hi545rH.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3VF22xX.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3VF22xX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3VF22xX.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
384	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{F8268BE6-961C-48BA-A20F-CA0F7A208121}	msedge.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3204	AppLaunch.exe
3204	AppLaunch.exe
3204	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4784	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	95
PID 4812 wrote to memory of 4784	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	95
PID 4812 wrote to memory of 4784	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	95
PID 4784 wrote to memory of 2572	4784	Hx8SU86.exe	97
PID 4784 wrote to memory of 2572	4784	Hx8SU86.exe	97
PID 4784 wrote to memory of 2572	4784	Hx8SU86.exe	97
PID 2572 wrote to memory of 3236	2572	tN6wj69.exe	98
PID 2572 wrote to memory of 3236	2572	tN6wj69.exe	98
PID 2572 wrote to memory of 3236	2572	tN6wj69.exe	98
PID 3236 wrote to memory of 2384	3236	Mt0jJ90.exe	100
PID 3236 wrote to memory of 2384	3236	Mt0jJ90.exe	100
PID 3236 wrote to memory of 2384	3236	Mt0jJ90.exe	100
PID 2384 wrote to memory of 1660	2384	bt6zC43.exe	101
PID 2384 wrote to memory of 1660	2384	bt6zC43.exe	101
PID 2384 wrote to memory of 1660	2384	bt6zC43.exe	101
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 1660 wrote to memory of 3204	1660	1dJ90Nv6.exe	102
PID 2384 wrote to memory of 3872	2384	bt6zC43.exe	103
PID 2384 wrote to memory of 3872	2384	bt6zC43.exe	103
PID 2384 wrote to memory of 3872	2384	bt6zC43.exe	103
PID 3236 wrote to memory of 2856	3236	Mt0jJ90.exe	104
PID 3236 wrote to memory of 2856	3236	Mt0jJ90.exe	104
PID 3236 wrote to memory of 2856	3236	Mt0jJ90.exe	104
PID 2572 wrote to memory of 4936	2572	tN6wj69.exe	112
PID 2572 wrote to memory of 4936	2572	tN6wj69.exe	112
PID 2572 wrote to memory of 4936	2572	tN6wj69.exe	112
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4936 wrote to memory of 2736	4936	4Hi545rH.exe	113
PID 4784 wrote to memory of 2232	4784	Hx8SU86.exe	114
PID 4784 wrote to memory of 2232	4784	Hx8SU86.exe	114
PID 4784 wrote to memory of 2232	4784	Hx8SU86.exe	114
PID 2232 wrote to memory of 3200	2232	5Km0he0.exe	115
PID 2232 wrote to memory of 3200	2232	5Km0he0.exe	115
PID 2232 wrote to memory of 3200	2232	5Km0he0.exe	115
PID 4812 wrote to memory of 3380	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	116
PID 4812 wrote to memory of 3380	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	116
PID 4812 wrote to memory of 3380	4812	48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe	116
PID 3200 wrote to memory of 384	3200	explothe.exe	118
PID 3200 wrote to memory of 384	3200	explothe.exe	118
PID 3200 wrote to memory of 384	3200	explothe.exe	118
PID 3380 wrote to memory of 3700	3380	6vI3Zs0.exe	119
PID 3380 wrote to memory of 3700	3380	6vI3Zs0.exe	119
PID 3200 wrote to memory of 3784	3200	explothe.exe	122
PID 3200 wrote to memory of 3784	3200	explothe.exe	122
PID 3200 wrote to memory of 3784	3200	explothe.exe	122
PID 3784 wrote to memory of 4160	3784	cmd.exe	125
PID 3784 wrote to memory of 4160	3784	cmd.exe	125
PID 3784 wrote to memory of 4160	3784	cmd.exe	125
PID 3784 wrote to memory of 1948	3784	cmd.exe	126
PID 3784 wrote to memory of 1948	3784	cmd.exe	126
PID 3784 wrote to memory of 1948	3784	cmd.exe	126
PID 3784 wrote to memory of 3204	3784	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe
"C:\Users\Admin\AppData\Local\Temp\48a3fbcc0f4c9649eeb3e94e532de3b50f11e0221a4e1089758ae2cca1348ffa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hx8SU86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hx8SU86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN6wj69.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN6wj69.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mt0jJ90.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mt0jJ90.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt6zC43.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt6zC43.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dJ90Nv6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dJ90Nv6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jw7226.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jw7226.exe
        6⤵
        Executes dropped EXE
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3VF22xX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3VF22xX.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Hi545rH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Hi545rH.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Km0he0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Km0he0.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4160
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:1948
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:3204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vI3Zs0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vI3Zs0.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FD3C.tmp\FD3D.tmp\FD3E.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vI3Zs0.exe"
    3⤵
    PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3968 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:1
1⤵
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5876 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:1
1⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5964 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:1
1⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5972 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5748 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:1
1⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6184 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6348 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:1
1⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6312 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD3C.tmp\FD3D.tmp\FD3E.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vI3Zs0.exe

Filesize
45KB

MD5
83777439e71bd2206cedd2d82f791eac

SHA1
a4b77335c0a851bae42849bb235cd2c903a98fd9

SHA256
a1be039e68d47a76b4f23f85e4222faaef9481e4101b3555c0d189da1bf09ccd

SHA512
e56407c4a0a74967c32fc5a27b0ddea0d93c45ac7e60fae415349ba7419137ff0b7931fbc304980aff8987e10776fe128cde2b52f2063738b38f441b8b76d279

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hx8SU86.exe

Filesize
1.4MB

MD5
146ca8411f87211a61956a935e83f8f1

SHA1
31646928990ce388efd0028f076e2a6e5146e1ef

SHA256
24860b93e89090b3f892c6d293831411a964e671219b57389834df1d8c309a89

SHA512
027873ae4c2fae4af66f8b57f57b2d32efb97c9890728a0879a1bc2b8ef4241be2405cac8e8760a9473c6ef223cafccf636e566a9503b7df3cfc8163202e937e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Km0he0.exe

Filesize
219KB

MD5
22984e041a9c7e72e6a4cfda758e5650

SHA1
c4a577cf129b2accbb4bf06a765b573091c579b0

SHA256
468fa131b5f367ca3c052222615e4ad88230ae3e40d219f4ab1d36a37a4e43b4

SHA512
4b34058898dcc0986e09b9d6f529ce2f75a09d1726610b8ae007f3ef8af2ad0f44a7e4cf2723cfd322742ab24bd7d869a756315e0823d9b9b964a05416484472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN6wj69.exe

Filesize
1.2MB

MD5
5cac9522fa055435f98aa68bd658ac31

SHA1
a097c3a06260e5d61f735f41d59df0799da10aac

SHA256
577061cf6b0d9dc055ba74d3c7a3e400335e3467613ff13a8e64f41fd8cd2b9c

SHA512
0ffe80b78e3a036406f9ec39ecf6d65486cc2502449fd478a7f66eba11e0c7b5a40d39d0eff83522f0b45f7ff9ca695b4e6de071f3ae68601f47e311f483e476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Hi545rH.exe

Filesize
1.9MB

MD5
09daf569281aa8b3e7fa8c7818e80a56

SHA1
de268714e180ed1a480fe5add1b57ee006817d0d

SHA256
52c7bbcd24ebeed998057b6ea54dc15ec8482ffd8ff03fe2affacebb6068490e

SHA512
59e7126564312bbb9c864accee2091b2abd7c46d83c8c29a6dc1d54f95253be263ed8be04772ea2a25670a6df461ccd5b822d8832a3fbbdc9655f2ea5e850184

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mt0jJ90.exe

Filesize
697KB

MD5
d559a0521fac87603ad7d6c357e40a16

SHA1
bdeb44600b552c1fe0e6306d81dc6160a789d8f5

SHA256
156c79b583d98b2736c1ca7e8d90c25d4992a8e625e2d4ea3392fdc8020dcfb0

SHA512
09d547cd9f87fb7acc0c968f8063d3abe9f9ecfd22d0be248959b32cfe976898e98f728b624e7e899d7fd09739418b162bd696cac85f38d5df0ed073a2e095ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3VF22xX.exe

Filesize
30KB

MD5
43ec5b55996f96f52a37dd9da57a255f

SHA1
8a5dd78d21410198359b1a68f91f2b47f64d9d1e

SHA256
08a731b3272ffba789ccd09d0d6dae557cf3d912b6d42106aaafa3eb890ecbec

SHA512
da5b45dcb7d43f82e3b3bd1e37aab1d8f0999ee9e33c6ee28cbc5f21a055e496f389d91933da114ba11f86fc3bb7917c0c895378d525620b1a89ca91d2d155f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt6zC43.exe

Filesize
572KB

MD5
e4dd28261884c60dc886eb0fbda25ac0

SHA1
23694fa1a75cc0aaf52ffbdcc2a4ba54bf3295c8

SHA256
addd84dd5b74b652f9cb6427ba31bac3c0ce1330afee208476ca1ff7e58da131

SHA512
4262e5af439dbe62c95220ad63ac1e970303393a8b1e2109e9bcadb39ab20c97d2aa504c33ec9e377a92d3d9220709525df6aba06076bb01701cd97dca58ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dJ90Nv6.exe

Filesize
1.6MB

MD5
1a426cb8f9ac97c1bea72cab4f1c2546

SHA1
32e7fa3372dc121c27e1f66c3ef1122af1ceb3d6

SHA256
2852e1a8a77e92bf2f3f79c01f4b61c75e5b62f9d9a2da9d76011b9727092b6d

SHA512
059cf67e3e5f2dd1fcd0b6c9b0cb36421febc8364c107ae2bbbb0d3539ebb0ab042a2ba8f206aeede561c1eab387ae467a49dfeb2ce22854e38a090b9df7bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jw7226.exe

Filesize
180KB

MD5
716363bfe4f138975e20a8733050bc02

SHA1
020fe7846d9778db182677c8dbf41d8679bc66af

SHA256
3fc97de0c136ed3f5a97983085b08f9bd90915827817e6fc7040b63080cd588b

SHA512
9de2ec1e51abc6f751e7e5158cd83145eb9ffc42ec2a76b91dfecf00555ff088a4d5173fd8f4d890b17744fe87a58bd2c9618ce6335eb7607d1392b67230a8ca

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2736-75-0x0000000007590000-0x00000000075A2000-memory.dmp

Filesize
72KB

Download
memory/2736-73-0x00000000083F0000-0x0000000008A08000-memory.dmp

Filesize
6.1MB

Download
memory/2736-56-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/2736-57-0x0000000007820000-0x0000000007DC4000-memory.dmp

Filesize
5.6MB

Download
memory/2736-58-0x0000000007350000-0x00000000073E2000-memory.dmp

Filesize
584KB

Download
memory/2736-59-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download
memory/2736-61-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/2736-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-81-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/2736-77-0x0000000007640000-0x000000000768C000-memory.dmp

Filesize
304KB

Download
memory/2736-74-0x00000000076D0000-0x00000000077DA000-memory.dmp

Filesize
1.0MB

Download
memory/2736-76-0x0000000007600000-0x000000000763C000-memory.dmp

Filesize
240KB

Download
memory/2856-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3204-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3204-42-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3204-45-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3380-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3380-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download