Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:17
General
-
Target
88994d9d4c1eecc9aa1be9338d3c8c2f4af84d994e9a4603803cfdc14429ea22.exe
-
Size
1.4MB
-
MD5
c2270a44669683b95cc484686fc26489
-
SHA1
e5e8aa02cba05069ae63f040fba87dae038962fd
-
SHA256
88994d9d4c1eecc9aa1be9338d3c8c2f4af84d994e9a4603803cfdc14429ea22
-
SHA512
cae65569233716b4cec09b80c3e123985de0a317027403274f89befd4aa9f576b1a507edf0917246b327773a8ecb0187418af61343162383124f22d729b8b975
-
SSDEEP
24576:NyByg84HaXpfvzzuDAU7NPuj/0qxUTlBFXn+fzCRyM3+Y9x9/bVuGkPQtv4CM5kh:oByg846XpTzukU7NPm/xUxTXSM3+YBT/
Malware Config
Extracted
redline
breha
77.91.124.55:19071
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\88994d9d4c1eecc9aa1be9338d3c8c2f4af84d994e9a4603803cfdc14429ea22.exe"C:\Users\Admin\AppData\Local\Temp\88994d9d4c1eecc9aa1be9338d3c8c2f4af84d994e9a4603803cfdc14429ea22.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iB3HD81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iB3HD81.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wk9zq05.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wk9zq05.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ec8Zm58.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ec8Zm58.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zx7Or71.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zx7Or71.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ns89tN5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ns89tN5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BJ3816.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BJ3816.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK58xP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3OK58xP.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Fm782VS.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Fm782VS.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5gN3LS0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5gN3LS0.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6in7RR4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6in7RR4.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\880C.tmp\881D.tmp\881E.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6in7RR4.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffda39546f8,0x7ffda3954708,0x7ffda39547185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,14864376025021346423,1546582897099543511,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,14864376025021346423,1546582897099543511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffda39546f8,0x7ffda3954708,0x7ffda39547185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16220997746789772470,14542147460771000458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffda39546f8,0x7ffda3954708,0x7ffda39547185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3309215125754622443,13951385253269549638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ucdsvcrC:\Users\Admin\AppData\Roaming\ucdsvcr1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
2KB
MD5b357f05f7414a1e9818f1b1eb217a0f6
SHA118a1f79aa398ce65e3d01920b6c023baa265f2c7
SHA256a7e97ec80c31bb411bbb0ca13231fc2755fd41f6884be704e01fae407361be62
SHA5122a45a9191221ddc2dc07e03ff354e014b20484493a45272339d72fefae6ae7ae6750bfd7317a58c99b86a7988f7fc4d21d9db1e7d7dbfca48891c9a7efd13907
-
Filesize
1KB
MD53637c0b9809e0fcae25d72d9c77dc320
SHA1ab532c6b5245891f21cbf47dfe10d41865a29ee4
SHA256680e75a3facf1e817a3c5f0f2dbedf3c35efad5b5718dadd01a5995d2c92f964
SHA512da4139cdd01a60a1f61a6879973d25fc4765d945f40810a33cdabda28414140d9aab4fb65fdf400cb5f876f92e008e205b728872ddbb74e9c489ed87bf27d0f1
-
Filesize
6KB
MD5e5d83b3cd607517ebc7f0326c26d18dd
SHA145b99d2d2a865b0e67df8510430b1e2e581baea9
SHA256f4acc092b5049c8c136c389eaf409b220e06f648e36797b0d0f81297ed8845d3
SHA512b481be01db3e3af43e2628286c288da771878f31cff46a7961794cd280891ec704718b3357bd870b99398983dabe1dd83162cd86663d0587a4d525a91a88ef24
-
Filesize
7KB
MD5471f92bf123ca3ea4737e37d161fe24b
SHA14704f4f13aa23db1f17234e7fc6f68db0f3d67e0
SHA256d426b59714218a253fdfd6db0569489b3f7c150735e640612446b486256c4ed1
SHA512a7bc06381e28134a5d4cbde29a07b3f353f8919ae8c0bd7a75d9e104f776066b0cab23caf0c4e6192e18a4c405612952ffe24b793c252e03d931dc4169a0ad2d
-
Filesize
89B
MD565bfe0d3a552c2f4db4964c1bdba367d
SHA151f38a18ddbbb9b37b3d9eb07cd16d9cd8f2e804
SHA256bc929acf9db8af49f80f55a51f87443ba35c6ed6a2a78a3fbe3f28f4f3fd1038
SHA51288ab97b3e32154cc6b535f625203c32fecd43d1b4e2d76cfe766b1a069c2d2eb12a1564d70212ba899585995cfe34b1a17e00ada728c8c9d4c8f1b5722b20185
-
Filesize
146B
MD5c03bca12152b97e0b3d9e0e36577ea3b
SHA1de78f952b90ca2cc33bd94350340323c84228300
SHA256f12ec243e61ff0ecf4225047cc6f17dff57bbc801b65201bf1ea312d40830f18
SHA51279dfc499da2500c33d91e9190509c29693352bda1c319b83b6c3218b43e86741435df9a27c42df21f9be363f55424d34f996ab573462f3fa8e1393d4b8d54ee0
-
Filesize
82B
MD510ea053cadc565c2fddf53b655eef5e5
SHA136cba8a1f7d7e9e55696a4efa0212e942cc764fe
SHA256ff192f5ae8f20ea812ccb9e9a94c28b5a7f6a854b1017a39b4c6eebfd516c6a9
SHA5129b698ee4f8c70c616ac0c7d8307d769a33e681c55cf6741da5c9a2ed9e7bda4a99c3c0b36b4e2e65536b48dedf10c0786d2313c0a43c12fc271ea8e1e47fe380
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD553672ff5d0c196c723700b8f295dbc52
SHA1d850962a9bc43fe1836b5e572c39012d0a077de0
SHA256d734458cf60390e8e3bb8549d0ae7253d3baa667beeb5d36395b23e450f14ca3
SHA5126dfefd959438b1fa2224036e69ac4aad642346d34b0458a9e9a703f954fcb8d6d4443960f2c62c3bbcce95a51132b3ae8d05d91ac0d9035fbef8de9fc9999ab9
-
Filesize
48B
MD5632d58b25cc5d464e283bec3665575ba
SHA1eb086df52a2cc3bfba2c0a772066f1fbd0392baf
SHA256adcfad432bd26392625915b7dc00b8299fb268b06ba0f04c1d11d7a0a15792ae
SHA512b1ef7093324f427f23ce4fd0009920d32d36d6d4ec42edd1d206b2c2ac74a8fa6714deff1ae030e87bd563236de41d347eb4409f4158a191b8ad9d8abef7d743
-
Filesize
1KB
MD5e9fc358a2c02a673e38b14d398c4d925
SHA18c45c6949a847331a240ced3ac71acc2151f084d
SHA2563a11818daea5b019f067728e4ef33109ac745f7d8f4a430047905c0e305e9f44
SHA5128fa2b269c3e7b3387dcb1da4d22bab7d3e56c9a92fa66d09856db29ec6765df6de6436e7c191ac20c4b32d133372c8a613906b0514b4169ecd25264804c73634
-
Filesize
1KB
MD577c2719b3e1cdc968dcb06f13850b59d
SHA1997edc997b237424028f8a1baecbf48b0e201a93
SHA256ef2d8585ac7093940f365d2d213ff09392342ddc05035a963e47ab0e2599adc0
SHA512a0487b409d802ccf49f1b342cdfce5faeee0d79562d4d85bec0a0e566bc83c0c88c097e32e2a08912ca9ebdaaa9388b7c9f62560eebf08c6aede5f94a261a86d
-
Filesize
1KB
MD511a141dda61fe8d3965858af068fb007
SHA1947073de929966573adf6ae13e8851da9bf6bacf
SHA2561d2dadc504e8ec04fed12d1f7b6e3eb6155316342f32c5ac784c292558818eb3
SHA5128d8bacc42ff35f5e95138974552b7a24ebece17fa767abafb89cc95206f5ef6ef51efcec2cb10b96015003735275bbde27d0018deb8c219628a527c38cbac76d
-
Filesize
1KB
MD57e783402edb40d4e2aa8f2a5b6c082a5
SHA12c09a2ec56e683f7c070c1a2666d14605e3fa180
SHA256d4c219f472a48ca5730d4f2190322e9d181bead18505174896272dd992628e87
SHA51206aa8da03c0aa23192b122bdfd6e1a1664fcac055c716502a43abc5db5fcd2e48b859aa43c8d29decc7ad743f51ea3d63dd7caa9fa4134f2396cdab543b2c20c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5370ce697de9bde1e5da48e38e430725a
SHA1d3f6b04d0760d8cd1ab80b144868b2cb4fd07c74
SHA2566685ce5b4333dc3737a867684130140092a92adbaf1a3518c678005a555e6a01
SHA512f39aca40548fdb86bd04e1920e0e37271ed1a125651adb42013df845cd21c3d33165d00cf6652244fca0004b6ee5363d6f2629cead2d9fd67e4450e1019cec49
-
Filesize
11KB
MD5eb0204d8f548cfbc1c1f02dd2f2a0087
SHA142aca6b6b64118a4125036e0a114d558d1199ca7
SHA256da77b56cdfa2c0ab5e6e88c79c52e18b40277a8c2309656bfa56eb4af6d7d00e
SHA512e09e6de957d22f43e5da4746722205991a4d1cae8aab57750e0704e43c58eb1e20d9842ecaf6f5cd757f27b609a316658b21f0bea4539a0b93d63f1864e63836
-
Filesize
8KB
MD59b0b632bcb71b88a47d70eb1a4e8e251
SHA1e0b29935df929bc16883162f4e074b4684eabeb3
SHA2564c63939060280a83f66106bdd078b9a175e9525634a9a6df776357c30b76ee41
SHA512f63d2605fa2cd3a048eedd47c2472550d143283edb8c7c8d7b38e02e0f5d4d17ba2942d1750e5fb5e283474bb5506746e06bfbbf6e041353759f93d42fc79711
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD57da45d663b62eecbe7bd650a9016bc5a
SHA1ca4b4a7e74c95773f5d728f9db0f87c70b7a2e53
SHA256f8f451b0caeebcca2a6f61c4fd65d00a812f75bc0326f384b696b8c73348cdb6
SHA5126422037a696e7a1ac7d61ba1932cff2ba717e8b7d82275ae14061f93c6d87c3a611a4d5a09619cfb5049c898a9d3abc5bae54a05aa45d41b8597c54d4038d49c
-
Filesize
1.3MB
MD5caf4538426e0929cb8a2fabf471edaa6
SHA1b393d01873f25a52835541fe9c293b42f733d86f
SHA25662432bdecd41b71e352cae25e6577d999e3c18b425e1f3ee440a04a136e25fe1
SHA512e661c17729ccbd1120a8582b1a90177944390ca1c51d1cfa17b58bc6fd8fb0f999aceba03fc34dfeabf10132ceedeb5b28f98a712f3fa39321636471612408c0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.1MB
MD5eff2c62ec55b6a7569c7487d1722ae0e
SHA112ea1d0c9148e32a46d63726f3358127435e82e3
SHA2567192d984f0f60b4f27a5eff4e5a48b065d6f9ad0b45bcb4be16fa287642c2625
SHA512069791e4f1fdfc6db4f0d8dfd0e3ff0650a2cce7a9b9fffada6bfaf73de89eece4b890b1927cbb696ec324f55bfa1dc468e8b608a517d0f6a267b4da89fd107f
-
Filesize
1.1MB
MD5a0396aa4bd6313c0d31b179875b918f3
SHA1c977b0bc19e7d7395a6d5b8e11e0d5e14d661a9d
SHA2563c575d849f8ee08dcb748a9d19fca3300cc08614590244bc488c9973d709d95f
SHA512fb2c1f467f1ffe4cdefc614e690917e86b98a1ca97e6b9c0e978d3fffae46ade1668e4ab91556830f84f7d93578ac8860c8fc28870cdc772942062d76c1dc316
-
Filesize
734KB
MD56c8fc3867e695b67c693f3a68a7f4467
SHA1ed76877ea0f77b1276001f119b35a0f45bc946be
SHA256d3674ac302727773acec39abffecbed12557ddec29cb9bcb9e3c4c33ba2d70d5
SHA5125ff1308d8a5cbf58f38364467137219193420c6dfd729b752e489272509785c07b3df15fc59a614eaaf32cc69b9f38461a073983a9516b767a7ec56117748ebb
-
Filesize
939KB
MD5d756b0005e4bf4b9f696c4c5aa336e60
SHA12055258befe9150fea64bb7754c4466e34acd351
SHA25699a1a027ff9447fc0156cef93d9205c2806bcc93d1c82133f78994a5fdc1f32d
SHA512ac7e31a6c352c57312d02329b24e0e7173e47d16c25205eb8ed07eabdedb88a74e2f182c2739d721369982b551c3f35e2ddc5e3d4621ffe14e4b6215ebe33134
-
Filesize
360KB
MD509709e40ab565c1e4a44a54b2f3ac9d3
SHA1086df0dcec91645cdda614e3f06153a7f8f23b58
SHA2560c1570372c4aa76edde30181545ae42843444933c6a8da8c72d58b1de267af16
SHA512477505419f08d4c294d4ed3340895bcf2ea568a79f5c3e468ffbac5d071b046d96fa9d155f41ac19e13d894889d6b06275759ece15643b71e5c1a02ae1373fb6
-
Filesize
189KB
MD5caf63a774b50e2eb015be1e12dd28e35
SHA1e11cd284e8df8b958ff6a90054fb238bf41013c9
SHA256a2a2ec27e07ef5d314adbbff52db15838d300f920896085e876c1050fbdc1b69
SHA512003357fe8c5663b21443ac013d7a5c00093ee5865c8cffa48bae71a48c0dcd79d914d8110c58b3c9faec730977d5d265b68042d35150a8e595c8415abc38e737
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB