amadey | 01f98f39f11dc95e7916a52951f0fdb5d4d6acdeae2387b3ab8eee5a0f47cd63

Analysis

max time kernel
147s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
Size

1.5MB
MD5

f3cd6bba4c29ed1c18b64abeb4e7b5d6
SHA1

b021ab8bb5818ea679feca49aaeb134a735a8982
SHA256

d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4
SHA512

3881ad760075d5fc765154095b2cf33c6b873bf2a0bab26f3a5815f8ce74f98d5f38500684d5541b553eeeb7607ddad0dcabcc01d531645916d28784d8af5e40
SSDEEP

49152:b9oWtgy13P2xA/bJOByk2SfIfKsMfTtUIEw4Gr:5oupP2xADJOByoQfKsMr6j

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1900-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1900-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1900-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1900-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/files/0x0007000000023339-83.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3276-62-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	7rh1LM04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	5fz3es5.exe

Executes dropped EXE 15 IoCs

pid	Process
2516	RG2aA85.exe
2000	Ur9dw34.exe
3348	ca6bB94.exe
3100	hI7ot99.exe
864	iF5dw77.exe
840	1ip14dv4.exe
796	2zS4859.exe
2368	3WE90JK.exe
4356	4TU265HS.exe
4756	5fz3es5.exe
4408	explothe.exe
3168	6lk4BG5.exe
3416	7rh1LM04.exe
2056	explothe.exe
3888	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ur9dw34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ca6bB94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	hI7ot99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	iF5dw77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RG2aA85.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 1040	840	1ip14dv4.exe	104
PID 796 set thread context of 1900	796	2zS4859.exe	107
PID 4356 set thread context of 3276	4356	4TU265HS.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4388	1900	WerFault.exe	107

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3WE90JK.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1128	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{93E83287-66F9-45BC-9620-D0AAF6EE0448}	msedge.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1040	AppLaunch.exe
1040	AppLaunch.exe
1040	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2516	1928	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	97
PID 1928 wrote to memory of 2516	1928	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	97
PID 1928 wrote to memory of 2516	1928	d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe	97
PID 2516 wrote to memory of 2000	2516	RG2aA85.exe	98
PID 2516 wrote to memory of 2000	2516	RG2aA85.exe	98
PID 2516 wrote to memory of 2000	2516	RG2aA85.exe	98
PID 2000 wrote to memory of 3348	2000	Ur9dw34.exe	100
PID 2000 wrote to memory of 3348	2000	Ur9dw34.exe	100
PID 2000 wrote to memory of 3348	2000	Ur9dw34.exe	100
PID 3348 wrote to memory of 3100	3348	ca6bB94.exe	101
PID 3348 wrote to memory of 3100	3348	ca6bB94.exe	101
PID 3348 wrote to memory of 3100	3348	ca6bB94.exe	101
PID 3100 wrote to memory of 864	3100	hI7ot99.exe	102
PID 3100 wrote to memory of 864	3100	hI7ot99.exe	102
PID 3100 wrote to memory of 864	3100	hI7ot99.exe	102
PID 864 wrote to memory of 840	864	iF5dw77.exe	103
PID 864 wrote to memory of 840	864	iF5dw77.exe	103
PID 864 wrote to memory of 840	864	iF5dw77.exe	103
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 840 wrote to memory of 1040	840	1ip14dv4.exe	104
PID 864 wrote to memory of 796	864	iF5dw77.exe	105
PID 864 wrote to memory of 796	864	iF5dw77.exe	105
PID 864 wrote to memory of 796	864	iF5dw77.exe	105
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 796 wrote to memory of 1900	796	2zS4859.exe	107
PID 3100 wrote to memory of 2368	3100	hI7ot99.exe	108
PID 3100 wrote to memory of 2368	3100	hI7ot99.exe	108
PID 3100 wrote to memory of 2368	3100	hI7ot99.exe	108
PID 3348 wrote to memory of 4356	3348	ca6bB94.exe	119
PID 3348 wrote to memory of 4356	3348	ca6bB94.exe	119
PID 3348 wrote to memory of 4356	3348	ca6bB94.exe	119
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 4356 wrote to memory of 3276	4356	4TU265HS.exe	120
PID 2000 wrote to memory of 4756	2000	Ur9dw34.exe	121
PID 2000 wrote to memory of 4756	2000	Ur9dw34.exe	121
PID 2000 wrote to memory of 4756	2000	Ur9dw34.exe	121
PID 4756 wrote to memory of 4408	4756	5fz3es5.exe	123
PID 4756 wrote to memory of 4408	4756	5fz3es5.exe	123
PID 4756 wrote to memory of 4408	4756	5fz3es5.exe	123
PID 2516 wrote to memory of 3168	2516	RG2aA85.exe	124
PID 2516 wrote to memory of 3168	2516	RG2aA85.exe	124
PID 2516 wrote to memory of 3168	2516	RG2aA85.exe	124
PID 4408 wrote to memory of 1128	4408	explothe.exe	125
PID 4408 wrote to memory of 1128	4408	explothe.exe	125

C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
"C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 540
        9⤵
        Program crash
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe
    3⤵
    - Executes dropped EXE
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\73E.tmp\73F.tmp\740.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe"
    3⤵
    PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 1900
1⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5644 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:1
1⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3232 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:1
1⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5636 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:1
1⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5788 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:1
1⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6148 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6296 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6184 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6492 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:1
1⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6716 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\73E.tmp\73F.tmp\740.bat

Filesize
632B

MD5
401dcacea4acfc09e8774cd0fcf16129

SHA1
ae03b7999297b5383785eddc4f6194fd4c80e149

SHA256
1d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6

SHA512
7c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe

Filesize
87KB

MD5
92b82c490c282bf2b09268be9b629732

SHA1
14c07fab8aca1f8f41936f1217478a25beabe3a8

SHA256
1f4ee8b00682f5dd5bf0c95162897566ba5ca1c4443cb252c7559687f3b78273

SHA512
74f70859a2c9372eb079518a9ed2261180263542213d87ff9911926d282f87548e8f48ecd550e574992907e23597b6ca1bcd2438cc6796b49588a2a93720b27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe

Filesize
1.4MB

MD5
2e20a2d7c6194a7cbbdda4d9452bfa03

SHA1
bdf07ff1bc943028fa77f68edcee9af66605cd5f

SHA256
34146b4c86a617d559fb0012ff0f5afd04927a97143affa9419ea71e5411f061

SHA512
037de372946426dbbf019a01f171b39eb67544a620188a6b0735233f8e57dda0e23a9f4765df5bec28ad7a8c5de7dc9ed420f09b2784d809238286a1265ddeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe

Filesize
182KB

MD5
2eae4f217dafb0e02f5d37c44ae2a652

SHA1
414b9875eff592c656038f38ddcb12e8064f744a

SHA256
9598973b13a014ad884b46c7494a0392a36270e62a365803f9eb1438b2c19f4e

SHA512
4aac7e26b26223cb201b5e5fb581c1e2eb32f8877a1eab582e181695e0503be4a4e545aa326dc112e7deafc1ef2db2c7c1ed1968339cc89b96f2f1110aa637ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe

Filesize
1.2MB

MD5
121aa508cbaf7060c64667863c8e9389

SHA1
fdeaba571f6e72d4fdb77631579f6d9bf5356f18

SHA256
95036dd4a2fc22e08a063ee05b13441b1a9df0d93ef4646c16574f7c460eac3e

SHA512
4ced304e8f2c4662a216a8fa2a36f42ebfbb6fe4f9d05d273f111943ee00a0941ab3878ec5d04cfac688ad4149bdacfb8cc729da9ba43cd3c16f13c64b5eb529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe

Filesize
219KB

MD5
f65f417183727d8ef72b19a7ba3435c9

SHA1
1ba33b32beb0c119eed2ce54d16a92342577f37a

SHA256
32c97705475e244c65dff0254525ab7847555bf05082db2395f05db2e125bccf

SHA512
abe8a29652953dba6b86516890eb0253ef6bae0aed39b92010873ac25154246acd1dec5858036015430d8ca27fe91031b6ba031d0488cce396d1cdf539a7fd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe

Filesize
1.0MB

MD5
4703ba737b5cdb5519cfe63d74fb3dbc

SHA1
21096b4f846b4d7aec36fe953de2007d27d33db1

SHA256
a53869996516adfd7af5610a409584618d747d1386139e632eebd84df93ea612

SHA512
46a42fb2aa810d07cb4048cecc555f8bbb1d13cebf9d486011f5e8f53369fd72e522fce28aaf09a4581ea70e6044eac97cb1b4b2ab73d7a70bc2781815750e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe

Filesize
1.1MB

MD5
a4865323ef36cd164e7a023f917433ff

SHA1
ca2e62e99540d345da483514c50edd4af13705e4

SHA256
6a42355d8aa58d2cc8c78092d4ff0da6ef3293674ae518e15c71d1ae10cd1c67

SHA512
575b0cd897c88af2e03897f67123e3ecdfe8c0eb6cbce87d603520a1d748f231792210671d950ed900858bb0f84e8a9770030d96f3ed69d7964e566a357eebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe

Filesize
647KB

MD5
160a38e156d9d16c2842f119ad0acb7b

SHA1
137cb4df3f0a3a711bb24841585f81bbfff781c1

SHA256
a4a88dd47fb2c0d47afc4cd467cd98b775329552d605d92a369e8a192600a5d8

SHA512
fbcbe0437f1c5a1b2f32a0ff716c3701fc577df48267fdb6c85925ba750cd006723f8716fea1a547edd9bb932bb00589013f9cf026475ca6798c271f278d6077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe

Filesize
30KB

MD5
2f9257e7bc6fb693d58e213784b509f1

SHA1
dfb07e903b57d6b26c219f31c3c229e316425899

SHA256
36c7928fd1c4f637fb4ebb75c5e491ec990d608bcb07adf59644947e46e21150

SHA512
fc37f43d513b8a719a9fe276f5a084aeefd6ab6e3597d1279bdedc11805c9e1dce956d1818d7c9aa5143b71a7d0de2c6b4cca2ba09ed10de3165314320e87ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe

Filesize
522KB

MD5
dcadef184d3ca1c2568441d3b0b06b12

SHA1
c7ed42bcc082a3b1f5fb254185b603cf948022b7

SHA256
2e38b54b82570e519260902146b594aff77a694e956d49e6cf93ddb466163fad

SHA512
dcf3b732b916c1b518c01267cfc330988ad5f5f24646c4b43dbcf488a4c76e417eb9033728d1579eff70bbf63a4411729a0bebd4cf24c2360cd8d16c5efb883b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe

Filesize
893KB

MD5
0e56e59513a4b1d1eb512e8187ec7ab0

SHA1
992bf232b6fe1c8e363818191c267f7ce9a435e9

SHA256
bd2bfabee2939f8bca5de7472b0fc90b6ca02f0a1db275b0970b32a53159ea5d

SHA512
93c4e5da3877442774658a5f516447c8debe2490a969cafea145e67d0572ee0f8c7d3031c588a04d42aa1b769bf5661f31086986c4a0180393b08dd8f9c34241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe

Filesize
1.1MB

MD5
92d270ad52299d83b23749f1307822b8

SHA1
bf40dba809684b1f4994e52c057c2579cf943b05

SHA256
36c4eed0f2893a3326ae8c2a20e85000356a95c67e0dafd7093b19619d6c8f0f

SHA512
1e296b8531aa153461c0de6e401276815efcfee0f66a031ce718d634b771476b25b38fbfdc006a17af27368ee7b06f60ea4a1de156eb21e693f7a24069438828

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1040-46-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1040-57-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1040-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1900-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2368-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3276-71-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/3276-73-0x0000000007D80000-0x0000000007D8A000-memory.dmp

Filesize
40KB

Download
memory/3276-72-0x0000000007DB0000-0x0000000007DC0000-memory.dmp

Filesize
64KB

Download
memory/3276-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-87-0x0000000008CC0000-0x00000000092D8000-memory.dmp

Filesize
6.1MB

Download
memory/3276-89-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/3276-90-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/3276-91-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/3276-92-0x0000000008040000-0x000000000808C000-memory.dmp

Filesize
304KB

Download
memory/3276-70-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/3276-94-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3276-95-0x0000000007DB0000-0x0000000007DC0000-memory.dmp

Filesize
64KB

Download
memory/3276-69-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download