Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02/04/2024, 10:17
General
-
Target
8a22b3547d55ed1bf92532b2a248957af18942f3341b54d624846dc2351dcec6.exe
-
Size
1.5MB
-
MD5
2f962323209282ebba31efff7117d0d4
-
SHA1
0fba8348c9cfcf54a0dd29b2acb9f0011e049484
-
SHA256
8a22b3547d55ed1bf92532b2a248957af18942f3341b54d624846dc2351dcec6
-
SHA512
72ae199946d0ddd3b9f44eb59eef6ac8ca31d8db30fa1562aeaf47a4991d9e4c081ed0d307bad41ae744e6f225f0026c34cfb0f81f65fe7e7c34ea922cea026d
-
SSDEEP
24576:Sy3l3ne9IPlf5pI+C14ESn6d2kQGBoiwdGWmg1hkiWmEcksD2WTPqG/t:53l8U5p4Lw6qK/fw2WTSG
Malware Config
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a22b3547d55ed1bf92532b2a248957af18942f3341b54d624846dc2351dcec6.exe"C:\Users\Admin\AppData\Local\Temp\8a22b3547d55ed1bf92532b2a248957af18942f3341b54d624846dc2351dcec6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mF7Qx02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mF7Qx02.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Va2yH97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Va2yH97.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw6Mc35.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lw6Mc35.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZZ2dG99.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZZ2dG99.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1el39ry5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1el39ry5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le9059.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le9059.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eZ85ws.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eZ85ws.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ey042JO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ey042JO.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nm0ZY4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Nm0ZY4.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qo4PQ9.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qo4PQ9.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55E0.tmp\55E1.tmp\55E2.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qo4PQ9.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff928a246f8,0x7ff928a24708,0x7ff928a247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5792 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17654188377140346808,4594453818367387019,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff928a246f8,0x7ff928a24708,0x7ff928a247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10140087386214826402,11922127182253234733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10140087386214826402,11922127182253234733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff928a246f8,0x7ff928a24708,0x7ff928a247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,5124980376400171069,6666267036840634360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ftagvrbC:\Users\Admin\AppData\Roaming\ftagvrb1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
1KB
MD50ba386e2fcdb5aa1fc084b875e775017
SHA1ae352baa94379feedf4ad2e3232f4da758f89d03
SHA256cb62db45d14e4369b35be2ba1b2c456684f447dd318ef30bc7dada1434441a44
SHA512023db438c98902233028fb0e0a184259196ed6173b9817f841321735c0f42e969e479969e4a148ecb87dc7e85f00d3a39f40da082865560bffa2d5c908fb05f2
-
Filesize
1KB
MD53d4fb8a25a369c19d6f71e8c80f2fe49
SHA1f33f9e4a88b22d6512153e5202f0965a5adb04fe
SHA256d1d163c8151bd8754bc6060f1d1ab5589f25675f65b39b1f123700e96e10213a
SHA512c7fe775479d506a28ff481a9c5e15a78cc5b0ada9e4e545d7648551d12d99996515a6434af8ca54e61d8bf6405fa7efc49afa3a5ae52fc7bfa54aa60869ee954
-
Filesize
2KB
MD504dc7b09a9f931505670517ce31347b5
SHA1ccf04545c953dc92b98601e36ea8293657bb03fe
SHA256acadaf164b8ec422ddb77410760d83311ac4f5efdd8ac0d45f8dc8a7e337e6d0
SHA51280b546b7960435b4737aa9abc0a85a8f59e14e7308e1f5ae837db540dda4259e307009ed31cf52d4510bd9ca53e325bfe71be49ea1a77651d8411c0513df1d84
-
Filesize
2KB
MD50d07e6cfbce23b072bb928ac4840dff5
SHA11a8538ef5c5c6e2c1ddc28715cbaa327293922e4
SHA2565e70a1e9e4bbe72ca5a7908e59d2f07cff8121f43762150bab23a9623edbf15a
SHA512937e515ef5b612c02c4734b6ed8cee9dc9f67cadef3cd777d0794c169a1a281fddaf68c408606eb669d297d2b58909c5c76d59b6f525887f783f6b822f6e99ce
-
Filesize
6KB
MD5af36717dff9724f0557f7c2c61471d3b
SHA1ed6797bfe91b410bdcbfa3d30244e21972652a5d
SHA256bfe2d3177d03eed4c3bb807665bf422941fd8a0657fa4f0bc080a670b0cd5a4c
SHA5129c94b10bf214557f5a859a21edf4375839c00135e5d757e8c3417bef2e0b101356001d8afd6dcf5d0813f11e41ca5b94f111f9d4d9517a6a03e7277fed1a0602
-
Filesize
7KB
MD558da1d630d9517a315ad8dec95b63d58
SHA11fe74162a76f150a9ea13ac1307c6dea44d97295
SHA256c8963d0368bfb38213319463e6a268cbf766b0eec1d3a292c6834b2d6f780aef
SHA5121bbcd986883c2725a2c77436431e3811b200e478f80bc0b1b7cf1bc5d16a8e5d8010b515a4f97668762eef79e0c514ff732eccb9a842ebdd6137c9314700cd8f
-
Filesize
89B
MD52534213f30a283d57d097a0a4204963d
SHA1be4db8d2270a504b52a7bd957a228815cb3123e9
SHA25674cf412210e22ef990a8bd98c3d565de74a6ac9b949a15132e2968a43630e925
SHA512f6a70d6d9e02ed13204daf6b5bb8a805fea4fa9e247a38af57ac6307ba459354823218e4fd352f96d2e51456650475e30807fc9fcfd08db8b864cf8c87ad8bc3
-
Filesize
82B
MD5c99ea4aa0ff599f2339b11243de51fd3
SHA1309372980a23e07550ac22553662e2e3ba1014d3
SHA2560ebe0f0378f564b305e0e571e73dbcdff7b79f2541e60a7a1522f81b69488947
SHA512a46debd01e97395cf6faabbde8bff6a6c4db4e6118aa15807b445bfb0cd2b22201e67789606690270f0c7c113105050cf63996334dfeaf4e544d05bd3f838bd4
-
Filesize
146B
MD578908d792856e9d3a4f3a144cc8c5c0e
SHA1e4f83e7433081650a1fc74a50f20770f66652720
SHA2566ea5371e5bb4bf6b54325bd763bd96ae7e7efdf6d910fdb6cb5d814676a77ec7
SHA51225c26b9a085a609f13d4e329d48c5eb95d467ab02d028ff8028a75e2914677f8c4804bd30c1c0699f715f73154e2ccc0c40b498aaf914cf1ab0dfde8db1d6888
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD54e48f7b63eb067c0817d1931742d3556
SHA1bf30ac92909bcaef8fbfbc306bf4ec67169cb35e
SHA2562c53fe7a8f5d324583ece7f577a6b40327ae298847c2ac90260cf70bc506b2a9
SHA51236b40269f6dc4f442d96952aaece083cf2bd23e1d31f42ecf3ec11d114ee81951dcfd5acafcd9fe8963f2ddb660bdfd2f1f7862579ffee725033f48677310d98
-
Filesize
48B
MD562e5f41b90e16d663aeb4655ddbad5b4
SHA1f63f397ae23d4e482dff36c393692433a600e15f
SHA256c9d5384af3d31f970d391b87b7f67ef584ea6f29794f9e4a31950d60231b149b
SHA5124bd458624525916eaa85deab1cbf573357985c56ab61ff59f1ffdbac3d9cd51ee72ab49b35dc407d5fcebe4ea1e483fddbadca13702966b8b609c87f07a3b5d9
-
Filesize
1KB
MD5d018acf3b469b4b9b77bfb2f840069ff
SHA190bf07b2975807114780c7b5f8ff5c62dfcbbd4b
SHA256d4fdca03fdf039dd878843f8dfa6938af8f052cada9b57934c1c008e7f2d6ac4
SHA512c1f4431d4fbe94a1d5fd8d882f6940b3d37ab541543455791e3c49bf4f2f3f4886eff8be7c6ba960f164969b7720ac2780dae9e14f4aa811d83f10859c1975a2
-
Filesize
1KB
MD56b2e344c2e6fdbf58ed21d34f1e28ae5
SHA1ebeefe8cc05b8124eef81d992f73c590df408222
SHA2565dfd7c73aec0bfd691b59b026278c44bfeabfa7214375420a80fcdadfffda9b8
SHA51299d6999ebe17697e850c1c24f906319df0a441a5062a9a1ac595d74e9358fd012cc66a4c8ff55ebe04b88c8948450bb4cd4f8e1bf5c8c78a1156a56a8f7ea51f
-
Filesize
1KB
MD5b522b020e3f4c3afe9734f921fd7714f
SHA1def7e82de422562cb6ec905385b8be82bde0ecd8
SHA2565dd0543e849078632106cd86dc39096c680008588441fcd2ad53aa6974844f95
SHA5128d4f83554f7bc5e2f013210255c5162fc08d0abe834ce951b93ca352c541c427a3c07abf36787266a55f442f2873e800ad48bf5819f83c3c5a42657be591b99f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD58524176523a8ecf0dcbcc321df53513d
SHA14a7c4e7ee6f62fa2b8db0a0401ed694642cd24dc
SHA256afedc96a0856899f50f226f5e0244e8d48b7d6507532076c624f1d42db835080
SHA512dd6d8cf00af5f0305d5867af4776633ebcffc94b5a874654d373e92890a965691ecfc257327642522feacf96253a79da7d977f5c633acf7167a216374337ac12
-
Filesize
8KB
MD5912c5d283a770f618c19fd0bb72f36a8
SHA15ee3de37961e8c14a1d1221ba6288ae07a2649b0
SHA256ff8017ef98ff095bc8bcc6ede21abdca46e5091acab270379624f4c162d93462
SHA512606d2c7bde85ed098c84f27365c3cc00609f9a5761c2e0fba35bcd988d13ca0310ac987b1870eefeab2f3142fdd658ec536d4e7a43932163f7aaa292ad6f9826
-
Filesize
11KB
MD58979371b76e1a32591b7490835452078
SHA18ddf477f8816887b7951320075a6f1383e74f15f
SHA2565db0fea1806ddc222813518cc9a6c4417f393bf7a1351f8fad7ce3e06cbf9533
SHA5129fec1096488db7b7eca3e418e55fc9769865e852868b07ca162a617d062135157f40554b8fd5ddfe87f67dfa2bc137be5979d76a4e6a8d086364eda0cfbc176b
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5fe989dccb721a8e46fcacba8798443a4
SHA173d0396a7273cc2357faf3dd66774bcdafc13c02
SHA256c8ef140ee768082723f0e94f4c76b9adcb9ff185a57aed30bdff0d9d1458f349
SHA5128ffa3dd3a43b20224c6b5d932a66d3e4d8ab06fd00a32938030fbf4f9eec9aaeff2a16465db26b3b7928e1092d04a5c07b0556d51cfc3c57f036679d4f20b120
-
Filesize
1.4MB
MD5be80b5e4a91da68c86e741bd013e895f
SHA110dd428fcba414287792b2f00cf357db5d6c241e
SHA2563bb01eb90203338c0445e6d8b139bf161ca669f8c508669511975baa255dc8ea
SHA5122771d05b4d12a091aeef536353081a98bd8103fe0a5ecc474937a6f6ad39440b1ffb46c0dfedc48cfb33ad32c69518d757b2ffd804d2d4c3e2af6129637af42e
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.2MB
MD5998076f44f780de1906fe9e3a4de70ac
SHA18a0b581aa632eec1d07b944e4be85c6bbaf0c845
SHA256f389062d4f56e260b933d34b0310233dd17e7fd47e2535105c42cc0d9a34490b
SHA512365eebfb3e23895efd52ce67d7015de58cb8630d2fb7a56c04dc70b73af9be807be3fbbf52b4dd51ffe8d113cc8b232ec7459bd73d96cd601d696f7a6baa2b25
-
Filesize
1.1MB
MD5408142150615ac9ec9fffa52a667cab7
SHA158e136f41fc5b754b0372e34679f41b4ca931fd9
SHA256693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8
SHA5125e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da
-
Filesize
819KB
MD5fffc71f12fa4da99648c644aa1fe8c89
SHA1989ff2baa8f826fbb503c3762089c31f0c7d2826
SHA256e5c7758569901a6033cffcb97cae02fc973e972fd9700e1c740d506c34b1ae56
SHA512ec06cfe1704e2ab7a232e707ab6247799fc3ed5757aad32589af359c5649866cd30987aa8b257c7b13f487a9db2f497eb9f06b1db7165e86722b1a3e0e004389
-
Filesize
897KB
MD52e3f17e7e9001ff7b7cf8ab412462a48
SHA12a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba
SHA256674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8
SHA512d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27
-
Filesize
458KB
MD5ed9e2ab6be5b26df6cb97da9c74903a9
SHA1b22597965bab20276bd822d1e764e47d627dde1e
SHA2563432e391049d1451b35ab23948f4780e0e3356c32b71b220040c3e2cf8976f4e
SHA512ba344b6524fd985041a5a641dad33de34b7376a549d59d827c4aba80e40770513067d4cbc50d9ae6935b20b3c912796e0d3e6fdc9239b1c98b4f045d9dfbfa4d
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
120KB
-
Filesize
120KB