Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:17
General
-
Target
ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe
-
Size
1.4MB
-
MD5
0bc27a2491501ac1f8d8010d8af1071a
-
SHA1
0e8cc9986c76a986593044e44c2489d675518295
-
SHA256
ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5
-
SHA512
e97d2d29eb673ef93db84ec41429917830d4d16d4fef919c3258daac1365b2e7ab75fefa2100ee9586a55cb70f0f85e72e6fe07211b45932d04db1761d3efc7d
-
SSDEEP
24576:5ye7KjbVGqBXh1pu9+rCDFZTSOO58v2yODPbNbOlcSGO6EC3gf/7qYP2mChCu4hP:szZh+am9eyWPhmtDC3eFP2quI
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe"C:\Users\Admin\AppData\Local\Temp\ba9bf75396aa0b37ebe542ff50745e18cd648bb996480160f4aebe4f262d17d5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ue6rA29.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ue6rA29.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gt2Af11.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gt2Af11.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZA4hP56.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZA4hP56.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mF1MZ63.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mF1MZ63.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pg75EY7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pg75EY7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2FN2831.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3oQ78Qa.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3oQ78Qa.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ri687QR.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ri687QR.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Qb5Lp1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Qb5Lp1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6939.tmp\693A.tmp\693B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qc9be5.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff631246f8,0x7fff63124708,0x7fff631247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16358514498052917647,10148476090250097227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16358514498052917647,10148476090250097227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff631246f8,0x7fff63124708,0x7fff631247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8306774861158393201,15229055254916287320,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff631246f8,0x7fff63124708,0x7fff631247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,739497807603802566,11775804353189723274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,739497807603802566,11775804353189723274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
1KB
MD5f0ad033579801f19db1491adab17fa62
SHA1a35230902b76ae8e96174bd1a3c72d2bd90b8ce9
SHA256fa126b8a55de49ef66258ad8b2ba1af4d65c9e176e4bf681e114a0617c4c797a
SHA512bffd73a2fb9222d01067172497eff0fbe4296d95b9b46eea859762da000c99dc91757449981fb5dce68e88407d5278ace6455133a7c984e2b80dde84dab112ab
-
Filesize
7KB
MD5a189f62f777d7287bdf29789cae9c40e
SHA1e17667d60e59536f804e7c4098518c18c648988a
SHA25634fa2d84fc64067704930e4656c4eed65c7ab205e8d79ab6fc1e94ae8aa16cc1
SHA51216863f85f1264e6c978dd73d6a5a4bb7af2db249c24732c7ea512168fad9f5ba4f25961f64405c206f7f4ebe3bb15fb6539b2188825de590ed01b572d8c42485
-
Filesize
1KB
MD5fdb484921dc87a5993b0f626e6db2dd7
SHA1c140a5afc74d59925699ef3bcbd6b79d3218cbe2
SHA256a5191fbf254ce08f00154a1211cfa21e42f770d516761d2c1157feb5bd9be3bc
SHA512df3bdcb9fefcb471ecb482c599ffe1c35727d7b6370c8905b63f5bb25662788ad1079d8ac8fe0bd0f565b2d4a8b5cd8a7649286564d54252656b4a49d88194f9
-
Filesize
2KB
MD59dd3a32cbf9fbb7db183972632af7850
SHA175773dbd92d03455d48a41a1d39db22c9f534173
SHA2563628a86b72f6ca84e68239c761b3443013ac67c6fd1e9650311f96d8b1bb1cf6
SHA51234bd10743241f94ebd6dad1533f0e734e556ec2b12dc0b0b4a8f1377148ef576f950662d67fccc760b7bf7162c160410fa8379aa5106ea3d0a484b23c05fdd9b
-
Filesize
2KB
MD564c3b8b18b6040c14019ba2e9f294ce3
SHA1feca933c8baa8ef1551d609e38a0c70bd91edf04
SHA256e629ed4c94e2e52ff367584fbe006a869972493420fd84b0e1b7744af389dd70
SHA51279a9ce550080452c4a57fe70cb04686892717dad45f2b6b3d9b488338c31cba7979396199431ec94ae4b62621334e897dfd08efc0d5fd2714b02b1f4c86e83d3
-
Filesize
6KB
MD5bad15138762b07cd6e7be362ca33ae78
SHA1e5c5fbc18fdb9e8b7289d994c1f35a813f7e6627
SHA256d5219e3552f9fa230150af72cec1c00c17cc025bc8bedeb1b5a36e326bdadf57
SHA5129176a854f3977f14261e1c48affa9fa48f0df7e20db76172627b79383e4338917d6a8d1d3ee2598a860e894bfc8b8b9b81bf8cc42a10f61c7b013293d0554d04
-
Filesize
89B
MD5b916c10ebc9d9c5f19096c5127979403
SHA13de1af73d14c5a8759413089bd10f80ffd77b112
SHA256a0e0fbdfac6fcfef4711bbf731c60bb79521765716130f820881409d8d0fe825
SHA5122f997288b2f8ac5cd7da5f668c212baf623abc2f955aa71ec17c5135b5aea91deacbc033cb5f79dbaf454ebeb8d2bab232878c9a751b4dca5a5fabceb2a9edcc
-
Filesize
82B
MD5e4f1726dfd947fa76a8c6a535fb8bbd3
SHA1d1897dcfb0546c8b4169eef9724e6e2a38dee3a4
SHA25646ecfccd9517bd7dbbcc267b4b449762dd283f33475d5ad5fc596ae3f6bae0c9
SHA512f474902b8b10e9a21e8549f65eac094bc802057c6d8cb17e4070360470f0f4b78b4592b7f30274890ea1ec68e496dfca8f824f897b1860936c0e9d487c31b012
-
Filesize
146B
MD50ccfa9471c2ad5ef3045701fab651396
SHA16f8f2599444806bb496e8261c599613165f4815a
SHA256efa839dddb1a2a51fbd1a79bc57867c3fbd8c7c0c3fdd93f4bc91a05f1f1fd83
SHA512628f29c94603fbcbac554696c3a56b971fa114528bf8d298af5a73152b45776cc5986825d295e6e8266c90a7069ba198265c25870db995cc5acb71f2ec6da98c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5c9c3033c09444d95bf9b846a50e252e1
SHA1f417bc615206209a1d529a765b0fa03b39f95eac
SHA25679a63f06fe16c5464b3438b06e32f5c7d4419ce659384deda81611eece586fb9
SHA512e9c0eb9e1b321720adad2e937184d9b59d7811128ff60fb4970a436d5325301da73fb44adb1a76b456c5cd99c84096b6d57e82c9c642d490ef5de0516495821d
-
Filesize
48B
MD55551a7cb03056c90a6f852f8c0f1c7d5
SHA147aeb839e1b4767de1221d8d7598633304ceae9b
SHA256c486874eb9bf9b3a3c260ff5f3f0ff457d78fed8a1bbd409a336348dbf768861
SHA512f2b2fe5528945acbf4fe21dda47eca8d8dd41e997b314a9d797fc1f649280611a948327e567ab4884e74deb855fe5655d363fa68732c437843358add8ccf8523
-
Filesize
1KB
MD5b08e4a4a3fced077c8ccc35e4b86d27a
SHA1c2fbd0d7afff62c0be7bd464b03bf79fa9658d7a
SHA256e61a0cd151611df50b746bc0cbec7e722fd08da662f2d9df30b02a7aa4de7523
SHA512e64b3a7be55e22530b03205dbca11303b0b5caa44ed3790aab52ac1168c3b7463b5d830bdea1a7cb392fd800df17658003c2cae240f4226e872c50988072e7a7
-
Filesize
1KB
MD563d9f6d0f71da9f49dc81e9e16fed6b2
SHA1c065942cee752eac60d0b097f40737d5e26957b0
SHA2568d69a0573c2027b4361e6b95cdcf7e22b46cc4bc8cd68de37be9e7c7bcae7e67
SHA512b14b53fc4e22f9d5759415c0936951a1a31fe8b8bc5d66feb3d5d2b5f99bce6a747f7e91416e6bf8391d6b53f456b59931c8f08ab7afc37de9d44b4ca2896fab
-
Filesize
1KB
MD5ef58b3c8ef373e10f9ee904c0395bf86
SHA103f74ef387397aabf342d9f0eb6a9561e383b280
SHA2569e312886c7d684599edb97b9ecc5df79f90064e81ac569059304e685f09489c2
SHA512c8b4feceea989c2db994b1f9a8ef4ac25682cb880f8703414d57f9c62e9f1f92090326eba1ac2de3680b06a646e9fc067a8abfedfe0defd5b04e1ef26e8d70b6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD50e912ccc39ccb43b40d2ef9b978380dc
SHA142a11032505f099931cb06e5d3f3b5a2824c2a8f
SHA2567e2936c53ee934ef16d8dd24b686ebb72af9b2ca3d8d0d729078b6fb0cb97d3e
SHA512f8c4a10b62ee0cbfc6d6ecbc2ad63683db9b233bcf5363585be1e849c78478d131cb2dcc28895d7b1ed0200b13b24441be5bcea00689e54fe97ae2c82270a1c2
-
Filesize
8KB
MD59c0eb54d8d4b3b125398ebb8826dc3e1
SHA1ae3421b53abb3703d482b603f1aff67acbd26971
SHA2567634700c2ba106f272a7f6ba7e49d7d980b2b8c863fd8ef140b031c4029316c6
SHA512b44aedf96370ce0163cf91709241c242867291f3bc19716492a9f129357829201ac26750fb55c6fa3c4c18b6f01b24e0c961a40a7de290ee2f188810a9f7abb3
-
Filesize
11KB
MD598194fc608087ce6dcda353882ca8007
SHA1420813098d7b28aa2c8f959a336741872e8272c3
SHA256d70edac4f08cf16e79eead31194db093d016e7845d65f3ce4bc2259fd784e1c3
SHA5125c189915f1d40f9526dc55e69554c42ffc2094aad001be66e9e8e6c4113aab1cc725f39bc350779df18c21478147a20c34fa3bcdaf5b542a1b4ddf8f73563d5e
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD54d758d7dd4253618b3750dbc02e9ba8f
SHA1d25c25ed9d0d72199f81690c145a6586136b7a16
SHA256b4402966b9ecd41ac74a5e6e9632bccc9790d47fadb30e303054be0ed75b05ac
SHA51276c72f9f4122d5430f6858485573930aea32709570a5b223abf9d1251bbeeff691dbd76e4b32a302c869793598537e57dc8a25a9fb4ce94a6ae0365a73c46bc7
-
Filesize
1.3MB
MD507d5a4981604d6c3bcd5a9f7b1f6f4ef
SHA1a12e9e83a98483bab36e881c5512012c5e848af8
SHA2567b994d3b12efb064f84f8784324d612c913b1d52446556fd2f564c4e4fed4227
SHA512ad191363781985d579fe4853281bbc3fa6f950eb88d342818307a5631fce8b9e270f38f0b87d6444eede56d5d59381cabaa6529f4252b6b2285d90a4a37ea275
-
Filesize
1.1MB
MD5ed173328d1931f2916a4ed40cdcae723
SHA13c3b26c1a9bc4d35778f509d11356926de59ccad
SHA256b2b2eadfca132eeca8517d05f6128823281b2ff9f10b59ad902209bf986ddd00
SHA51203b0ea1f56b60ef777ce030e2d1a6079ba7ac1e97dd4eadc90305cf30a3e2e700e9de73286521557ce56b7a87440135d16a3777a485fb0fd4132ed3c0eb5e483
-
Filesize
1.1MB
MD5028acd6b8d59c554ff41f837cbc3886c
SHA1db3e10489bfbe192006373f7d004a6d21fe59787
SHA256a7da8994326d83f8ee2902b8b96608ed588cafa99a9fd6f53bfdc72d0c9b7ada
SHA512c13f3a6cc1919feb2bd129fc8c983be9a5f794177a14dfd63d34fa0add0e5c491b85ead7487bf417e827fba04a6fbc01154c69bb5ff453b4c725376d35c6b599
-
Filesize
698KB
MD5294702aad4a50e2904aabc229bf63222
SHA106496ad15d675ed3a2909cdfc3a2fdfa4e7ef955
SHA256572e5bb001ea13fe9116f22e5ef156f8441285e4daf89889a2c9aea50f82e231
SHA51215063c6fd56b0020f2f9928caf911ac43428ed00d5577d2fbdcd99bf7d1f4a1b69d5752d44169b2ac564a513b04b87ef10340a765d7214f68ecd990d38b64a49
-
Filesize
30KB
MD5a2a8503fa5b0909fc7061ab2526dcf79
SHA16de70590fbce34fcecd14fa489eebe32ddc54705
SHA256c22853b040f35efa42761bbfad1455d3f552c61ceddfab30f180f2b0d50268fb
SHA512b9b8db133956f578e13cb77ffd8d881a86e957048c452aaade2f501a22ba7b821323d1d62e7656d4856c8d9dff497ad9076373c29e2d3eed5545e0451750c6e7
-
Filesize
574KB
MD58ac38c2fe934b7249b579786a31f6416
SHA12f75c2d2a83b9a13ade2321c2f5c0f55964fe42c
SHA2569e404bc764a48d9ea36b18e7e1786890a3f111ad76d50160ffee3fd8b7a80abd
SHA51204d4f2800a807599e11363c02c7988da34f567c1815cd4a2cd5f4503f8e525a2bca4fcddc64bb4a3610b83e3dec42d56a2a55e844f8178bc35fb523783446b5f
-
Filesize
1.6MB
MD529e9546e7fe835b413a5d65599213b53
SHA164d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658
-
Filesize
180KB
MD5c48daf2acb868a7a781de9b5aa6af69c
SHA104a9e5ac7d3b2a326b64b5cdabdfd4c75f07742d
SHA256c74ac1603c2417b67ff88a4011d5f4ea9e972ca80d554237c845269bc68d562a
SHA5121690f6f0d3228467f8fc9ff5a2a843a103acf4cd68df058df8794b1e11e3a9d01175434821edd0f79626f885f4f808cf08c743c4ea6ab21525790bd8fd8f0ebf
-
Filesize
219KB
MD5ff32549725de81479d2849fddcaba456
SHA1e6fd7d684fa167c632f3a666d3213267a0e3eb5a
SHA256d66bba14a81476dd4cdc0e8a11abe4832c7df1ada84f44a952e2b391f34eb9bd
SHA5122878b38f535640331ba28633b0cf8c27b54406314da7fb4b1b8683aef20b52c86f510df1bcad4d7b11a7fd91967de74323a3a539055f90f54e742257c04727bf
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB