Analysis
-
max time kernel
176s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:17
General
-
Target
ef5182e386c1b5e967b1a0453f1438fdd0b0a301a44144ea579da7b6e6b40e05.exe
-
Size
1.8MB
-
MD5
a3c11e627b5f362ae70343be367590de
-
SHA1
7a858fd003632d1369cd5ad0b9540d9263e644a9
-
SHA256
ef5182e386c1b5e967b1a0453f1438fdd0b0a301a44144ea579da7b6e6b40e05
-
SHA512
52cc56af05f10687351eead59bebd184cb42cd926f9496c79decb68fb022ac5db97ee7cfc28980982b1f3659dd57484fab0731d2667cb486adef343c3fa77142
-
SSDEEP
49152:1qyyS5eqlIz8PH38ed53gNMN9goXJA70XIqLj:nyAnlrPV3COPXfXI
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
homed
109.107.182.133:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef5182e386c1b5e967b1a0453f1438fdd0b0a301a44144ea579da7b6e6b40e05.exe"C:\Users\Admin\AppData\Local\Temp\ef5182e386c1b5e967b1a0453f1438fdd0b0a301a44144ea579da7b6e6b40e05.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UV7lX33.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UV7lX33.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU7Yu91.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU7Yu91.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nH6YT57.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nH6YT57.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr0mM39.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Tr0mM39.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\io5cl20.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\io5cl20.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1xh33Zr2.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1xh33Zr2.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cA7210.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cA7210.exe7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uU07Ow.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3uU07Ow.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4rg120fP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4rg120fP.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mr4va1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Mr4va1.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fD9sN3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6fD9sN3.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Aa0zk06.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Aa0zk06.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\992E.tmp\992F.tmp\9930.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Aa0zk06.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe24f146f8,0x7ffe24f14708,0x7ffe24f147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8176527970928189025,4049035621436648952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe24f146f8,0x7ffe24f14708,0x7ffe24f147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2089642133227322437,16492977076332385304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2089642133227322437,16492977076332385304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe24f146f8,0x7ffe24f14708,0x7ffe24f147185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,756276339897242188,2996722875210214906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,756276339897242188,2996722875210214906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712053167.txt"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regini.exeregini "C:\Users\Admin\AppData\Roaming\random_1712053167.txt"2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD582ddfc0bc66331770cd9b563186fb6ba
SHA1c1e42aae60dfc01dfae24e249cdb7026ba032ff6
SHA2568cf0336ed126f769c48b79a77d1eff8aad4aeb8045905c184bf159d3f651ad10
SHA5123ed12c349753940231f0d5980d107927570d0ba401fe08151ac8b7dffc8d86919587b83db05be6b85b4b6a3b78026af7135237e130c6feecb79140436acb2382
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
960B
MD5999435647a5aedb0fa8b553015998ce8
SHA1c5ddde1e04686dbd4187d252d9ed0d029ae70f04
SHA2560e339dbf9d58c69148e3e22001734869a5f87ac0b705a53092c3d8f5699bbc10
SHA51232c26ee581b85056f38aac2fcd703c2bb49b3d67934e3ec52099ccb973d04d022feb4c0bd20a01dd193d404e439ee9e244dc2040576b1f80e74a902aae731135
-
Filesize
1KB
MD571b16ac380a079aec0dd310680546405
SHA1baed4f62069e051e2a720fa4f8e965678911ee0f
SHA256eebf9734a8c5f34c9db98e70b7633022b89be11160d28cbc2dcd6b537e79f907
SHA512709170763055a88dc80e89c75ae82516ee68849186a3bec8367cd39a69e2e9aeeeeb6eeebba97e789de8ca94619597387c02ec1e0be06939ac6bb833154d5620
-
Filesize
6KB
MD5816dac8d82a9bb529549ee13d4edaea3
SHA1cc7d74a2fcfddb1e12036506316c4afef9d49311
SHA2566b66f899fd9ed998df3404b8cdeca5c4b13943435533eeabfa403e686f46063c
SHA51281582d6a7f5ffde493d08e9ada78f866ca1cfebcb47a2e38ebc31ea1933dd96864da76724551ebcb759464702253a121a6223179ee7a248355102ce42c05f645
-
Filesize
6KB
MD5d6e67d56fe8c3fa78feed699970d389d
SHA1d2ce6479e8bd51f662f096d6487284612da52cf6
SHA256f4cd5c4f636f8a9f4c0b35be2595a1d61905e85fc11ae85f8580a89463f10339
SHA512a61e93a15a025d9e1fb42c517c3fb54f93915629881a1ad6a66eacd80cd6cf17328e472fb1a2c587d8467f01a165177afd51877d3ee8df1645d9e424821ca27a
-
Filesize
7KB
MD577f414d7b60bc1e1ca6ba32b1ffa7776
SHA19b460525b0a8a67c77d42eccf37817cf8c8d3f60
SHA2568de645f4727da80125f976088e94abe2868bc3fb4a002c3919092a209eeafa3c
SHA51214b63baa104028b9766cfa9182907bf35eadba3af345557dfdc1fd3316228d1caa22695a61f867cf63a610fbc0f666eca55fab683dd0e3f685f7f61cdf3f51f8
-
Filesize
7KB
MD5b2cb7976fd3fd17e672c5334a48e53db
SHA150dc00b83cf660aa0106d230a376795ef0fd9011
SHA25692134dffcc65092225658f0188a05eb2214ab1490b509cd3c0e85b91c3c2903a
SHA5127c9ec7720fa419ddb21e55e2ff111ee59cf662a5adcb4d5ae9dddd8faa580f40b4a02294ca46c4db7974c83ff8b1c6b0164834eec11053465ada268324585594
-
Filesize
371B
MD557e23c399d3e7a9cb12a4d1391b89f8d
SHA189ff031cd3f5cfd00ba56e407a2db5a2865d82b3
SHA2566c7ba7ab43371f8e6dd7584dac85484cfb8fa97ab89b57dc724890aabf965c5d
SHA5122365695785620443490d3a728a4d353633691155e2c2a255259b4a7270c02ad8e17695d905a025d02e1f53d2fa585ea3b2d98974db14de55d6d43fb8e37c102a
-
Filesize
872B
MD50e8b2063717a7436a49b5e3851bc0c92
SHA194694edd3e255f5300a522145ac87821ec09a6c5
SHA25613d148cfcf6615a1c1c8df8ce2a9e14bee52a7186e110c756dff9dd8d623bf1a
SHA51222d5cfea9180ae75b90b82c0468f84e245afa002450c50485fe3fdc6f8a86f432db750ae2484faf4a7a06438aa144519a5101c1c71a8097ae26a5e3ecdd1763f
-
Filesize
872B
MD5c70db1a5ac502bbc96148ccdcc65bb68
SHA13279ab61a210c8571d5950187f51b57302036fd0
SHA256effc758e10382e1352aa35699e5c4d8d98834626849cc835f1a31f44f4c5821e
SHA5124801dd7d37511d3b20260894d7fcb1390abfb9c15e25d3c72bfe40907ecd9f9933fa0cf5dfc6911629dfdb536e7e5e044e6bded1743ec8cfebb6f256b97dea78
-
Filesize
538B
MD593f926616e28e8298041184896f9d58b
SHA14d8acc85a9dba4b7d5c7865e500a625b3ab3bd47
SHA256599d58e193c7fc6f4e151bb741c7136fe51537e84c61193125535b0f7dfb0f93
SHA5125c8e7aaa35befa91e39a4cf705a2504509584676e64422bf5eb1c4f5c82f39cb312100a2daf9046e03f1c0447b4c109a812f630cd6829f714994a9a208dd48c5
-
Filesize
371B
MD5ef6d4bc8328fc3a5fb8537d74602b842
SHA152f35f64880f4c7c9c3b5363badb1c520be43e99
SHA2566315ed6754c0f02396383fac87aa3612c5607622572abe5a4f91eb8e45ddad29
SHA512b35beffe91192c203760e662494d6f2f7835f87bedfd389762776a970170881fb550ee620c831c6c03b7d61439d85e7f36f46c0392f1f6339dee3e9dc446ec79
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51796ab8791e5ee15f360c7568014c0e3
SHA18eb9fb42ae13e7b0d2cee69a4987393ab51556d0
SHA2566720b0c626ecb0495f55cc81dd456e908ff8038de96154e4446a6d6c6476a5be
SHA512538830ea1d9fbb3fd68bcf514b44cf04ab2e879a8dcf40048655ab46575c47b5ebde06abab5f8d58df1c9e963ed077cea29144b1ce81d0f8910736b2097f2b8d
-
Filesize
8KB
MD58a152d266c5b87edee5f3b630963c91b
SHA1144f10cd73dbb1bed8dcaa64791a0fd878daf854
SHA25639a2078575571e51ce8835edbd9eae3bbb323fc5b382bc988e6e7c9a594fd7ba
SHA512499a800617504edd4f2372ee49c63fc482e3866667a260124b2ae070e6105bb30f3fef7de0f998fc9cd72133a5636eba742955c9321687c61c1557581623579f
-
Filesize
8KB
MD53110e714174c6d0ef4238fbbfe827e14
SHA191b3e1cff00b3a63af3d490f2c621022c64b837e
SHA2567b28791188ff796a6fa0f05e84895718391b5ce70ed736eb6c2573459fa2f88d
SHA5124f5aff155e96ae06a06f1b594c9c799b2bbae3f1056e5e6444d9540dcc113fa3160f4474f12e299ffab72938b042d9f290b69ed9a2497d7a669c1d4181e40694
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD591eec4b3ab9075ec087a7029d85026bf
SHA1bef2940c5c2536079464f52b3caadf049575b374
SHA2563f0cdce1dc5534947a3f44464a299b414cccac11e0a59caba39c73c4fa13d832
SHA512924a4de2fc7adfec703e79ac6fc461c986b0731e931b2672f7504f60167a38ee81d35cab1112fe78545def943bfdc925bbb700e948d529aa34d8e9bd4dbbe982
-
Filesize
1.6MB
MD50eefb6f0345cb5d2e89720b5bf8e90b7
SHA162a4648a4b64860328956fb96eba53c4ba330692
SHA2568e11d0a968ecca532c37bc7161a866733a33c4538de8303d265691a4ba68f402
SHA512b4a6b3a2a0cc8c2681de8516abdc6006d9d4c7766a8485089dfb30f8669c56e66911ea4f7f1dbc2d4b738444c97b8584cfe264bb601ed4e4df37f927edd22777
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.4MB
MD50409430ab03aadffec146bd7f05f2572
SHA1ba076c6e888d672e7c195bbb77da9bb0d8873a6e
SHA256082814fd5034aead385a5c32214b4dada21f87ec29417ae45a4ef63d918fdbb9
SHA51237bc085f1751d3f4f15f40f032a47c4ff02f01c46c30d5c6c212d01828683bd4656ae114073da3a8f8366e6f9cb884e9ebd227a4d02685ceea3735c907bdc72b
-
Filesize
1.1MB
MD5802feec3d0a1805388684c97d6e99f43
SHA13741396952f0e38bdc46cb6b5332339998972ae5
SHA25625fe8b2d97ec2ad543e59fdbc1c48be6ae0c0798a6f172ec1184ee377edd506d
SHA512475f2ceb2c3040526803450211752a54fb5a6ff981c64fa9cef8cb989e57c217d08807e87adb728c33a8a64be86ec030bce2f2c0ffbb2ea6bb1b06cb8f6352c6
-
Filesize
1.0MB
MD500e4c3ce5adc83db83bcfcdce10edc44
SHA119fc29838065d9a018c3dc433e242c469ecca98d
SHA256eabb4b03e18df0f0e0f0759ae3d7db5cd80d1dd36c84f5efc38c84abf994ba0d
SHA512accd18c818e4a46b2162401389231872297189d669278b96bc5b1da09affaaac4b2b56fc452828ad2784c6db1f24f947ede218a9ec0d89a5d1811516d70ba66e
-
Filesize
912KB
MD5fa8c8ec6ae80ef6a2ee8b1d105363738
SHA17c37e3f734b09d99a36971b36b90b0702c7670aa
SHA25628b8c8964a3a38d8c75072e51738cadaa802cc8027af3416f0ee19969a19d3f1
SHA512561ce2bed5b9fc28646d1ad7336e00b44cf392984b9c2143a9428566bee646d51a855a7d5fa39832e4fa2d0c8c4fa899dd45b61b10ec6cf6f9deef2dbbd53b3d
-
Filesize
696KB
MD52c88758abd1601e75319c17740f7a158
SHA1ce766dd3a4c2e93c778c9ec4574913629e1ca75e
SHA25681da83e705e59c9c999c41f24380020e3ef7982dc4805ed089467416e41b6443
SHA512e89a26c61ce6233a2cbfc8c128b289a53deae865ee507bf8968745979aa3a54eff05c0a326a68ac6bc7a71ec138c329fc8f826e31e379227d69c9112165c44ba
-
Filesize
889KB
MD5329170db7797a04f381a1d79d2673d16
SHA1e2d5070a1538fda58e8541000626c1c977cfc73b
SHA256ca1f2672edb00f4ddbbc50c9c4c9d7214cb71e013c1c4a4d40c1850b4ec29781
SHA512d92be6a777f000658cf520d85c9f48e08b1bf3095fcef0e3bb02b6b608ee021138202f9a5692a1741835627390af4adbdb5667c0fc43f63f5d35b2606966eb8a
-
Filesize
354KB
MD5c7665641fdcbdb90fbb0aa0c669de8f3
SHA1dfdf58910551d7602470484cedef0f9e8dc30f89
SHA2565447183efa462aed62370d09790a4ca9ecce80096786994ed184fd9ca77ec6dc
SHA512c2c8e361f0bb976fe50fd2d580b6e4b82fb838a5cb0f888217631662c6a54890bb0d60c630b99c4ad1f325c6320acd45e034ab9eacda75657958e14b82301299
-
Filesize
265KB
MD515fe972bcfd9189d826083838645b850
SHA1d2bf7fee68e358fa71b942b8ae92e483536abf86
SHA256ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4
SHA51230f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
78B
MD52d245696c73134b0a9a2ac296ea7c170
SHA1f234419d7a09920a46ad291b98d7dca5a11f0da8
SHA256ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930
SHA512af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB