Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02/04/2024, 10:38
General
-
Target
601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe
-
Size
1.6MB
-
MD5
4134fbef26ed612d274c2beeb721b0b6
-
SHA1
4b7add665f3246c6107d65692a9f6145a1aa579f
-
SHA256
601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58
-
SHA512
a33d0f9c32ed55a708a28b891d7a5761b17257afbbeecd3cd5702c6ec6ba920d56e9414da282bfda8f7ea20fde0cdb38fe9083167f96da48877bce5c4ec1d668
-
SSDEEP
49152:IMkxML0hUMN3069F5Ienkh8kFOx7P+JskQaCeUvej:7bUU0NIekh8kF8IQZ
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe"C:\Users\Admin\AppData\Local\Temp\601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv0Dv81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv0Dv81.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qp5Ej06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qp5Ej06.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KP3hS40.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KP3hS40.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN8vi25.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN8vi25.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sl7Ut74.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sl7Ut74.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1NV38aX9.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1NV38aX9.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2gz5927.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2gz5927.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PP91BW.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PP91BW.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LZ284Qh.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LZ284Qh.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BA4nx5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BA4nx5.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6YY0bV9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6YY0bV9.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8935.tmp\8936.tmp\8937.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffca79846f8,0x7ffca7984708,0x7ffca79847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,3757681088102895968,4733083147446535424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,3757681088102895968,4733083147446535424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffca79846f8,0x7ffca7984708,0x7ffca79847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,16519929141898035276,12172349776815273571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffca79846f8,0x7ffca7984708,0x7ffca79847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9633130474582771956,6690588853978165491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9633130474582771956,6690588853978165491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2856 -ip 28561⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
1KB
MD5be46922567f7d8a3c5d9ab44c0b4ee0f
SHA179d98c35bae4ebb83a4da1d10907914295683347
SHA256685f370eeb964db23ebbff465154554e86a40687f26b82f1d19286f58cacfd36
SHA512749a057b99330215bddfd9bc67449ac5934d9039e29852cd086bbfb66d158ca51e92abd5afcd95ccfc8bce6ebd2effe804d42ad2196a16a8f5f32e83b3c50a13
-
Filesize
2KB
MD506246b5a9e297ac2efd567f4b5212254
SHA131e7ea254b93bacef9e9402da95c296448de70ed
SHA2568f6a66600ead7afe5f408466d1acca8c2dc9fdd07d911d3a4d55af1840665ab2
SHA5122ff357ce32ce824c187c344dba47fc7e3f54ceb8ab6ab388de40cdcbab8af6955af2aa85e77be60211bc7968151adc03e6ee71521543ed817e5a51a90a497467
-
Filesize
6KB
MD5e652e1e62983daf2b8704a60b06025f0
SHA1f94ae09f9a3fa2c3661f01fa9f5c9b199e0d4fce
SHA256fd2a19184238b8b3fbf0ad2d938254af282ad65c61ba82f97c5b87c52096d16a
SHA512b2c2f0275217e5c9cfcc8f9bf0081283cb425acd92cf0e33d68c68678ed96e392d58e3ea4914d1d3ffe73f6e4d382fbeac7d3b729dc3cb66fe0dea5a49442d2d
-
Filesize
7KB
MD5dd00bb6bdd375797ac2261792898f864
SHA17706eeb4af2a729fafa72fbb77a0b306baf97188
SHA25640450b8c70fd425812b73058c97728b0b3e495ff84818ba6c19a679f4d2138a9
SHA512552f2cf3b0e47099dd521ecd96209051b91aadde2cee124e2add2a133939357c13eabe750c60d376160eb550602291c2f4af3ebbd003711d02801a9ab76c4b89
-
Filesize
89B
MD5501043547aad9bc3ef416b6e81cb92f2
SHA13085f83245bcaf5bb0cfe936f195dfc5c8a99a30
SHA256951ac554ab7dea108fa5f976d2c7f0fffa1a04c7917c563cd9b023d66f603b38
SHA512db4ff405ba519e7aad17a84c0251aea1659839f69d95d869b1570d8c283d02ab847c68de57a85b05d56e4265aefc3269dc5438a7412801c9c2e4bc7f163af1e1
-
Filesize
146B
MD5ea159acd87d19b974fd95c3b90fcc1c4
SHA1fbd5d30061e2656a642f23d5cf6fda70f24877e9
SHA2563c48806de1d473705f62926999183f000a7aebe35e8b94fec7173abb5884df22
SHA5126839e06e91c7a151332ae90be030767c4d1158905c1c2fc09bf31d400714df6a552f7a56af268c15c3707b0742a68b52c68763025a5fe02dff53c307e4ca3f66
-
Filesize
82B
MD5e3d25a2782c618bbc95526c27e9ad619
SHA1f70cc5316efaaa57129c43697064b94eb3a53df7
SHA256638bd5b8a956968a221c2a36e68e94fd59e91cefc7e16f83535cafe6a82dbe97
SHA5125f367ff13d1fd5f271552417b218bb904e0f605cdab85f0eff2cb519281980f027ecd88a50f1b6967a45d4b736241c2b2e678cea459a271af83b5a981a261c80
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5fbe7637a1ee2d4f18725e2b9d7be404f
SHA1f9448263774b9b2983a6ce89c9d0e70b83433bdd
SHA256e99c522c26c96ef89ee34042f9131e5028123426157f6ad920bfa2333846649f
SHA5127a647690cdd27c11a90036cc2d3bf1f14c22cdaa0b09a469e1ec3f3c99f9d0a239eccc03daa3131d9d76fdca8835a131251756405dbc24b707eab7591dc77cba
-
Filesize
48B
MD5df88483ec8bec15a8afd42d9f38ec265
SHA1354781cf913c3252731c3555ef371f13d8bccaca
SHA25615370b65bca2c1ea26d35ed182fbdbb499186c35f4831773a0d4de68270b9362
SHA512b81f7674a9ba2a9bcfc44a77788b66dde722472f461372a8038b645d3ba9ffa3e34a0af301e23595b6d9f1e66f68a81940495ccfaae2461da5f50d499f326e15
-
Filesize
1KB
MD5df59ec8af934ae1ebc4218cde515a879
SHA17b78fe1894a71e3a4b906d5ed4ce9b250e923310
SHA2563914c8f2588d49f3df27a0986182cb83354288b5f7855093d648d8cd4fe4bbb5
SHA512ee679e89edbb1e434858826d67dc3dca91eda4018246a40ee56661e663329c33fd7a2f89c5e990b506c948ec272be6f4874722fadae2863c5a98956632a014a1
-
Filesize
1KB
MD5c3f99a9a28ee9b054f2455a5eb731fa9
SHA10d43ff56c4862a88738b9a007ffa43800a2aa753
SHA256991e3ea0d32ac6358b1840274867a281384e5fda85bf86cb6fbcd7c67ba1f115
SHA51247531db4dccc1ade44567b43a3f936dff60b5d1c5dfffe1c74540c2bef7835e26003e83b86f53f5568bca35321b7f5213951e7f5b39c069e4e67d6fa30e2d9c0
-
Filesize
1KB
MD5ab9206ff1cf05199443d4ae327870ac9
SHA1b021dba14701ec7193fb768125959489e64c55b0
SHA256c8fe8900212fa6ffb175915be78a8cb1eda64625921d3a4f3ec239774007bc6f
SHA5122c1708ab4dc5caf61c4a38f197109c61f3bf6732a11e1886148ae4bdcd230f0af7936fc9cbca060a6bf8a46e8cccd6ded01dafb233fab8a0f7371492ad77e217
-
Filesize
1KB
MD5b87ee0a72b727276d19c892af012739c
SHA1978c59142667d013836b025f9c943ad2e2f60843
SHA256973adcb0d4916f7450beb2362c6987c37908e8afc536e4a14fd9a49039eca8c1
SHA512f7a9b97e18a20abb75e4bf256598c53e66624a4452a7420b5e688e5f2879e1201be1f0e2b96c3a2aa927d29c292e9fb4a25bb81d8a8734642bfa997c70d3a178
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD538a01aec513419921fb6bbf7dab8d671
SHA1d4c65bdfc7caf13a585127aef1cdaf50324f10c0
SHA256b5fdb54f902b7bcbf264e2dd53229e3db76cd7be430a93f44c85f33f286115af
SHA5128753a6983a5c89b9ec7628c0459276a0191a6fb9a431b765d562998d9c39040e9a7262b9fb9dcc52d3a32c2ec0bf2696da43698fe0de1a4664003359b52d9bbd
-
Filesize
11KB
MD55e7a3e94be694761b8e1d6dd5b851e25
SHA1b1fd1adf8cded04a11f9e9ec6f3df20f4a6a80b6
SHA2562425e3c73bc75daca88b5636c5a33332f1f3bc67b1969980ade70aa15be72d7d
SHA512fe85abfb0c2e418d0069e866b1e1138937def75fe7eacada4297da61fcdb6cdb5123891d4b7ba85c2a3279856b04a61e37220d2ec35f4f811c147cf377e9088d
-
Filesize
8KB
MD5dfca9732b7372809fa8d7d9f50e0f359
SHA17d23d238c54bd76046c8e948a0ef56524d237ca7
SHA2564aed1d70796b480a5d396bcc8c88ba2009ac7df0b728c899f0df0702c6e5b884
SHA512798aa502e1556d2eae90d0fd35026159359dc1a4c86a1d4135c7727ce80551729c73dfcd3ed17d8eef71bc428b067231cc040a558af9410844338ae82877229b
-
Filesize
632B
MD5401dcacea4acfc09e8774cd0fcf16129
SHA1ae03b7999297b5383785eddc4f6194fd4c80e149
SHA2561d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6
SHA5127c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5
-
Filesize
87KB
MD524c23ac8125978ded1ddf98693e50724
SHA157021ee42416af192ea530f25e011a8b6c8fbf8d
SHA256870666925ff3f6d365a3fa6f7bc26e2652cf0ec22b99d9fb77be2eb1d391d69a
SHA512a6f48bda8f10d8d23fb9c533d5c7b4c04e2c81b67bef56366a36574d618baa755db6c566553ef963c3db75ce1997bed3e97f93fec565a14706a00523282da5b9
-
Filesize
1.4MB
MD573fe2077f5f6956000a2d586c5986179
SHA1610eddd2970d08d039faeefc3683dc1e6b0db116
SHA25653373e9a9202cc2967ceb083eb956bf9e903e25a7b0ce9365bd2f2525e187f9e
SHA51242af9c76dd085443fc81dfb4598c390317588d327a51d065c82d8609741be39419f5ed35daa8737f969e86a332122152beb3b9d21d2a62b608f215a8281c15db
-
Filesize
182KB
MD5a387a3ac649ddf3a348610a83a5a2d5b
SHA140c918c05a4f4ad5e596d96869295a25cb1f27b9
SHA2568423dea4a303c90140a2f43f19944e4365b76d3bba8b75b4787644c0618ac253
SHA51260f0864ed3b599e281f3af3d2ae4c7adf902c1fd4326e71ff5306764bfa69742595166f999bf0f4441037df9198402d84d902f1f15635d4f83a16e93a283e75f
-
Filesize
1.2MB
MD5d26c210d5c1005271bbb1dbaee7cc54a
SHA129cc2288946081fe8458e6fb9393b3f3e6447c4a
SHA25671b6faa2c801edd8c8358414830450c3cf7bd8b6d36b4a499af4de4172f8eff7
SHA512389777a5d202d862d56c4d0d99b734184dc10e7ff73c5e49d8a12efa950a1145149c409b51d6bd2e6edd26eadcd73a9114287ae0723b0839f22f219c56b9f79f
-
Filesize
219KB
MD599f3e21239bcf421e662e12a289eb5af
SHA130d13b9f6bdd5f376eedf8cd38bf7cc0b56932d7
SHA25668d401bf10be8823a7c53ccf59edfa4a889bd923927af7da38f7547405ef1307
SHA5121e923d2036506f8410eb37c7f738a1281aca66ee75fe39778cadb8ed2b574cdeb307647b6a3c78e4fa1e783b604928cd58ece08567f80f5424102d341a556a48
-
Filesize
1.0MB
MD5030f3059f53c613ef4fdf8d82a5f1114
SHA17f1e148e8562ae86e7fd25962f2eef783896769c
SHA256c4c2ce08cedaf808fe284d1b1f0e30a551c764b09853faf191819cacfcc3f72d
SHA512e832876c58f0e638fc14412b7671a15ab37f4a3e57176a96fcb3dd52cc0bc7c06312760730616be7ee76d9827b8175819b21446e0915b737b36c72e369904128
-
Filesize
1.1MB
MD5b59aab324b59b18d6c8173e2f49619d0
SHA13f7eab30ef9c2a7267dc687ab25e5397fec44cc9
SHA2567c73fbe200ee480ebfc38ad51942d7e45dc103801d89d8fe47a875a350f652d1
SHA5128dbb335198482725fd26a437ee81734a4f2036c8fb8fcd173b8c383dd27c9894bc474a9c13584fc537a8a28a7087b572ad18eeab914dfeb58306ab4265b925de
-
Filesize
658KB
MD501de67d96c525395a9a68ab442a5343c
SHA116da88d2b648ccfe9a9bfdcfb4144cd4ade3aced
SHA2562d350f93eabc1e1eb7c82f85c99f8a198877269822d85e84724f2f97fb2d839e
SHA5126ac64afca30c6ada31b87f9db316195595abb5fff0e961ebe44ece62e47f0056bb2c93cead0c06059b58da633755fc149225034d618b50e94bfcc69d091a9e7e
-
Filesize
30KB
MD571dbe6294fda4526a5e1a10bcbac0f32
SHA14141508301b5e50e74c9c646e11b222445ae088f
SHA256697f25439fd56492f8d933d1cff6bb054c0466eb0210c6f7f8bc7a202bec1064
SHA5127bded99bf1b20c978f0f4c526823b417d9da5b219b6353d43190e7bac8dc11ee14875c7b60ea9a6a8e0e457f35c635a728f298dde160425958106f2781baa1ff
-
Filesize
534KB
MD500b8380f4a5e4057c25ffdcb45400a06
SHA110fb5cb7c754bda83eb4e56a9598e39e5fc18a2a
SHA2568af3f042cbc7b218bdbb946600f86e994f5d0f8610fdd063f3b217eb038214da
SHA5128c6e545baa6a7ff29fb0c01e519cf2bca6ebc5740b7fe8be403c40d6d432b359e42951be5d777ec521de4e0e4bb8feadfe786ec5407c64e82cc0990bfba207d2
-
Filesize
891KB
MD5dbad52d4392fcc295ac697b83d1dee8b
SHA1b757958515266a89cd9839e03285c620c101ac79
SHA25672f2176f67b44f5b256e161ab6e8c8c5ea3dcacf40402e61bcf1e072091231b0
SHA51256b45b472dd116c497af20f69add541ce01ae8a110b3cf09234ffec5f3b44334b3d9ee5ee4cae511b02c39095bb32cb20a61565c5fd2b3cfeb2e7fe12e02c043
-
Filesize
1.1MB
MD5b35a48cc9c75fa069ee854f6ab436907
SHA1a1b71adb9d153d57a9cc011489bfe34daf318c0a
SHA256747be7f422deb3f77502a8053e48596e1adce44b8d6ec86b271900e6ecd0fcd7
SHA5123f0064b9a02cf29a1e45e4616d270083cdae79334e98ec7eddccab6fb52fcd4988c00fa57b467b63904bfc4ffef68432aa3aa6c3f1b0804f96dccb84bb3f369e
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB