Analysis
-
max time kernel
178s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:17
General
-
Target
9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78.exe
-
Size
1.5MB
-
MD5
2b8bd5b5849508f465f4eabfdd3ee1a9
-
SHA1
a0c8fd78227b07a8a6ca7d6bb2422e7a218d25f2
-
SHA256
9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78
-
SHA512
bfe809557c6511ee866422bb1dd7b54716bf77fbf5516b09b0fe8cb534b7b656598a3d5dbee86634c1d8698db0e326a9eced99313408e79c1a569bcac701490f
-
SSDEEP
49152:mvnZSzCFDAUxx+ddFfU+hxOXd2wBzLBi:onsme1drThx9wBzLc
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78.exe"C:\Users\Admin\AppData\Local\Temp\9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kw1QV57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kw1QV57.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds7yD95.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ds7yD95.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\II2BV62.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\II2BV62.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yc7xx01.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yc7xx01.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vp29Xm1.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vp29Xm1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Iv5655.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Iv5655.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yS45Em.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yS45Em.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gw177Gu.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gw177Gu.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ra1rb8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ra1rb8.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6jb2cT5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6jb2cT5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\778C.tmp\778D.tmp\778E.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6jb2cT5.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbda2846f8,0x7ffbda284708,0x7ffbda2847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6295972852473050243,1969933174297083449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbda2846f8,0x7ffbda284708,0x7ffbda2847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1516,8859457094975576925,5676002905691265807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,8859457094975576925,5676002905691265807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbda2846f8,0x7ffbda284708,0x7ffbda2847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10905407744041687881,7766889043569812636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1496 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10905407744041687881,7766889043569812636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\eetvicwC:\Users\Admin\AppData\Roaming\eetvicw1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a4017a523911030f8734f8e8f0abdc7d
SHA1dae8d4921b10898492b444c0ab46b6a30ecf3cb1
SHA256abf9be1c7dbe107a68a1df66be86a2772e0846d05e1146c670df08eae6c40593
SHA5129e9c3cfd9e11326abd66416f727618fb7a73bd947f062f35ab6702eefc21cd21a9d462bc9614e8b92820e3a0af961a0203d6ff10e0852e24546093016dd4915b
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
624B
MD549841046cdde55ac25c3fc13d3a56c0d
SHA1cb75fd414276a1c197a7ecfc9d41e09788503252
SHA25654c47e6a6a22e6f482f33d1d82d4e3066f31ac596c24aad8cf445e69481abf23
SHA5121d1bd2c790ee722b78958e50e79395dbe442ecf9c8ba9e582786f03f85c0d7abc62c7328eae8bada40599fa4e190bc0010931ea0e1474c1231fb63d470586d04
-
Filesize
1KB
MD538645eb955731517e781519de6995aef
SHA1fe0fafaa44d85995f8e2121db9d803e4ae8178cc
SHA256a2ec85e215cf74bde956abf984c3a252fd4d25cf0163ce2d9b5cc568640b8b88
SHA512e5d5f42fb196450f3efed0a2992236a91d92dbce835838a0b77d8c89e07a72071dfe675236b81a69c744c577a4cc49a48918c40952a0d8d75e456654a55dc565
-
Filesize
7KB
MD5a7a77772d3f22a8a01ca5dddc6f3eef2
SHA1186567d34b7b46a63c79095b91ffa58c66ebe945
SHA256e688ed9acb368878289510e2f8a0913309d6f7f785d30931f721df159a5e4c11
SHA51271fd63fcdbc113f75ff62898138e6e4d1ebadd6905bbecfb36ceab81bdd77dec24de49a7ce3c4553fee3c3775f9e1afe18840d067e5b461190fad1c796d9cbb2
-
Filesize
7KB
MD5301e910c779d3c9f16be90f75ae20d18
SHA1d534cf386af49e748b35bed7b11e187debc3bacd
SHA25626673b54b8efcbe877b0fbd2b98fe3c5d9b7861226c5d90b124ecdc507bb8c16
SHA512c8ac667daf256eab336bef9cb1ac939610e04efdf83c816daa1663ef6086c7a876eeaaa7b2293664c5bc77ba727718cc1c4ea313ebb5fd488337fad1976555ad
-
Filesize
6KB
MD52409220c51d0a7e5c0204626660bf090
SHA1aecfa3a7e17e99e2e2f300af18b50234ec0a8d05
SHA256c7845e2623896c55d3177aa1e6eb12792cbf90b45c4ba424b0adba4199dfaaaa
SHA5124ec015998414e18268f0a08381069bb8924ae6a45b0773d98e61f4708e60a48db4bd5ac3173456dfaa67b3cf134ea066d7a7e9f86f8d633a1090c794418d4135
-
Filesize
82B
MD51e995f90ec58201cfe454aae793fbf3b
SHA1b1d1153cb1ec57b7f48bfa8c250b18eb95f520be
SHA256a257e58dab3b07528fb477f96050968b117d0ef8aad40d231f0e35cb796d2491
SHA512407ad4843a9f6a968f607f667217fc5301686352840e0783a385f241ad717aacc44cb24839e0d061d60caa50ec151182f56c30022649baf76f93164d3de07287
-
Filesize
146B
MD55e24e23bbdfa01767b67115dfff5523c
SHA108ca79f8c20fb14b5582df242e53e6a084833d78
SHA256e31fa4c28820a0c4a2b3a6beac2c95f74c83810455d415b7aab74311dbe3e417
SHA512caf90679641b87635a0258cc09ed5fd7df2992e0fb5e6e7bb1d3fe1b51a0ca16d6eef9f61ed618b21a1548fbc842c0b08c9ad7b5cac3658951fd710b2e09c1cb
-
Filesize
89B
MD55651fca077031a047c732f61c7448767
SHA16ae36524becd159d8127e163fbdedf3515c68e46
SHA256deff5d31fa57fba5f824049bf6c3756e936fd3e6130cef7dfded608f8a1a1e4f
SHA512f7054fabb72f63ed3a7090eef893f1ec996f2b55a85ef7178a09c734599774061727ca857eeba8a3e207aacd90e9b0d73a06366ae41340c7f89c1466d9f88141
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
707B
MD54dea7686420ede01e7f1e28223b02865
SHA1fcd8acd1fb3afb4b296bcc62545488f29b6ba7f2
SHA2565926863aaebb4f6aac697cf8fc22694c6fa3b7ed11c105ed48475f13dab15285
SHA512ca9374701d2d80bc3c627c871f31b4d0330c352cc28d2c57242dc912bd40ee89697c47c31c01830419490a90bb20d07ff2b000ce716b4219b92ce1a10cd6b85e
-
Filesize
874B
MD5de9243bdabdda0bfb0bc7e15d0146e54
SHA180dc388ee7f97ae6d233e4f4a6c5192b65f0b5d5
SHA2567b951c138c301a4f61b072d27164adb4f634783029d382c3c2347161ee3dfc9e
SHA5122193d1dc9db5d4eb1ba60878ffef489a2c40d6c738c30643006a2f245006df480d8b595d494e9ae00d1670006aed03a8d41c9a0ae57af90e16bbd728fa9a3e1c
-
Filesize
707B
MD56d01a697c2296788853d5edbc0dbb811
SHA17ebc03e4b783768e90f7ce9e516e46038cb8e5a6
SHA2560edfd48247e4e97701a7ac1e25fa6eb245064fadd6ce30a87ad8d8914f6079a7
SHA512cdb3546990507a73ac3243a948c8eee38b1a4616f73db35303cdd68231a37e3e7a54fc8173faa9cb6e345ed6d3c4435d48990e86ef29e31324f189b934ed0d5a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD53d97e8ad03c323b1addff4fb2b70aac5
SHA1120ec3e11f682d3ccb879c035f11ea61d2cfe57c
SHA256a0abb152328b7d57a31f37781cd0442a0d741d2057cbaf1fde68f8fc9e59dc50
SHA5120dd0a53599d30b0e090a920c2a5bdadb5e86ba70b3eff1d939d05f875aee4b32f04be61126014f3d555b615ff7f7c97f41236428f0f1511fdc3bd6f0c5398129
-
Filesize
8KB
MD55ff7ed3132aebeb8d98dd15e09efb3b3
SHA1ede88cf19260490b92d9ff5f901a6585ca78a7f0
SHA25669ecd706fbf06cc6c2f49a0212347e410713fe2704eb400843368bc2c5b3d48e
SHA51288f99eea611bb969b1884b84e667bf166cecd83162410794a6ca4f0d77027095db43e9589af6e40cb335e7e1c3d9cd904564fccad9b40ced719e56868684a533
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD51180dc6b695559a7987e5446e75985fe
SHA199e3a068a0f2a2452a84c8dd45d85a1091e37119
SHA256a8778c34f062d39cb4818caad562932ba3a8ba99afec6fea899d2eb188d4b1a0
SHA5128885cf10a555d63f7965022552071f3ea99224838403933c6a66f3fe555eeebacc0fc0569b8c3df65745324be047418ab15691ff3f3c3c346db9aea9bf51452a
-
Filesize
1.4MB
MD537633535be594e3762945f6fa3a0cd2a
SHA1024d731e8a0dc8e7a451364fc00fb9077fb0ef52
SHA2561a853b974474e57fc4cd94543939b348357fe77f082e59f9a437b1d7aa0b34ae
SHA5126ceccb4afee4d7dd5351d98754d2ef3203c3a9c5e175b5cccc95dbffd9bd48a81b2ca9a70daf1221f3f4227cc53992536b93de84e785dc9ac4c33edddc371ca5
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.2MB
MD58626800551310c30ef292bdc6ce84163
SHA1616013881203abf7b651eb9a87584a07b57cd145
SHA256d0565c44f5ae514baf995768ef85e660bc9ea764624a716df5ffcc519bfafd9f
SHA5123c064032fea773928a149b8de60d109749d368e0e8ae28004ef3ec01da3850c36e4e7c71a80c77ac56398fee1ebd56d13582bc1acf6c9b87a5bd46edadbd05df
-
Filesize
1.1MB
MD5408142150615ac9ec9fffa52a667cab7
SHA158e136f41fc5b754b0372e34679f41b4ca931fd9
SHA256693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8
SHA5125e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da
-
Filesize
820KB
MD559ff12c5e0142be78b6f83e7facf9315
SHA163d2d7184a30eb6c6260b44be69bd07bfb270a28
SHA2567597a920d887efee4652b885119fce3a040abc4d7217b345f8683a26353eab9a
SHA51224aec8080b41692b80d7085cd9078346c483cff99a33ab438222f9952790ca8128d234b048ce0cdb6ce4e1fda75631e70e2d9f16d6abdee25a5a239d9badb4a5
-
Filesize
897KB
MD52e3f17e7e9001ff7b7cf8ab412462a48
SHA12a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba
SHA256674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8
SHA512d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27
-
Filesize
458KB
MD5f4a54c765f969f555eebef8239ce2cee
SHA1d650104c8df49be85782fa62cb4297acfca34693
SHA256c49abf9a1625ee27b704abbee4e1bd0568a3a8ea57d132fe3f440c485a93221b
SHA512a22645dd1e6e25607aa63a9d2254260cb48146b704d98db68191fee8b7f05e2c4937715be29d70e6c8ae25e804149f5b729ac8a73d2459260d3c2862d8317b76
-
Filesize
875KB
MD573d86751a127f28504b4239773c328be
SHA1a7b5a37edc0841e9a269b827bb0bf28ae0d8c330
SHA256e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030
SHA512464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0
-
Filesize
180KB
MD50635bc911c5748d71a4aed170173481e
SHA16d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
SHA256a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
SHA51250ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
88KB