Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:38
General
-
Target
0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe
-
Size
1.6MB
-
MD5
6b6f9e49181e1d03f78509aff32e0baf
-
SHA1
86ba4bc261b4a51042098accc67272b3a7b29761
-
SHA256
0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57
-
SHA512
2ec00bc01b105676607abd978e060cb44ba7a84261689181bdb137246998b76f0c7d067dc0cd65dd89987ef9c67d2fa4554f73142efc5f13405302eb2eb892fb
-
SSDEEP
49152:psD5WlljuPP+ZhBIgv2ldONz5DvLFETghmyN/Il0TF:ygZUgOrONBTsyNgl0
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe"C:\Users\Admin\AppData\Local\Temp\0d5168a6e44940ea7f1cb2dc06698783e7e987b82ba1c25c333279001b78ad57.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vy0oJ44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vy0oJ44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aN8bb19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aN8bb19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WP2gn59.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WP2gn59.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TH2qY10.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TH2qY10.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM7YC38.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM7YC38.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Uf70YP5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Uf70YP5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2QM7584.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2QM7584.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hd09hY.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hd09hY.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Tc192Ss.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Tc192Ss.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hZ3pY2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hZ3pY2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6vF2hB9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6vF2hB9.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7AAE.tmp\7AAF.tmp\7AB0.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL9gO78.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd411946f8,0x7ffd41194708,0x7ffd411947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10480298332987142635,5242314779217678421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd411946f8,0x7ffd41194708,0x7ffd411947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18051992651863475095,14594250654197235680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18051992651863475095,14594250654197235680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd411946f8,0x7ffd41194708,0x7ffd411947185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16533892524746726073,12885279671463913261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16533892524746726073,12885279671463913261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3496 -ip 34961⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
1KB
MD530c2db5b280f611f4242914b8711f649
SHA12cafc80e062f1f989939fa396dcfaab7c0234fd9
SHA256f1ef2e39f1f05055a9b8c5787b4b4cc616a3f0709ed77cc65d97e7ce56046a99
SHA512644c7606af7350b7e75702b57983ede7bcd090aa571ada738cd588f109ba995d60a7329ada9bc40c9f81db59f2ca0333129420a1f0673b78e1a984b9aea775c0
-
Filesize
2KB
MD574416b562fbf770944566f30f7530d5b
SHA14baf489224aa15536db9c8c5426fd630cb64cb30
SHA25609245463a063abf59fb407a24612b87a11984a3713ebca91e354879075f2c948
SHA512a52b129ef2587fe29780a961e4201c6305cb7a32c43c56e3ea05711653a69b1af13f3dae6d4f373ed80c220b5df50d52356d6d3f019e8ce90a5c7e2c5a1ba3a7
-
Filesize
6KB
MD51ad5333e76a49b814e0d3c5e706c45ea
SHA13cd2cecbd12b70b59bab9eed44fca4297f662636
SHA2568384fd8ec92b0c0298e274db5e7056ba073e1bea43ab34fff185d4f0f735d851
SHA5128fa973599092a15abdd0b43a3b2016520a6a680e3b71bcdc7e06505159ec2857e130b05ee278d4e6d563d88d555da66433e14dd77156a69705995d7b19a6fd99
-
Filesize
7KB
MD5efd1340b31772d2fc3ec11526e3c610f
SHA187576e0d017dee70bb657a7fc4306eb04b533cb0
SHA2560f04f71d69d4bd015544e763939cfe158d15bc6b798bb2bf9be4da4be8249af3
SHA5122ddf8074af7cc5e8eed96d4f521e69717a3bdd92d276461b75848be66e89fa82d0c49a96ed99d041ffb14a171377cbef3381e3eeb6224c97c9795528f7fd30e2
-
Filesize
146B
MD5f8c7e68e36d73bcaf72a07bfb3f7615d
SHA13800748eec945d08a89d8ab30bf03777ad5645fd
SHA2563174e72187dc33452f2095320fde3082cc2fff5ce108e5dd00fa27e6e8bf719d
SHA51260540d1953039ebd250efb651c7583bb01cb7d670588ad2ca87205a2a0219714e6d70951f5905355f7f2b1f95070badefdc8d5a5f91f3c9b44d4acdd3ab40344
-
Filesize
89B
MD55f46240eabec489c7fca0b1b51cef801
SHA1327af08b82732e09f7c6ad807216efd85618780f
SHA256d4f3adcc2a5aa345d70b050e4f6ed75e821840a836cc32308c0db484a4abbeff
SHA51222b6c2e724018c82aa6b6709ff90cc5e967a172e445582280c4ab5723784a52b8f6cefce500ba8ea9a81b9b843aca8cb5f05c78c4def082f02ae463d76e2add1
-
Filesize
82B
MD5a54e7f8b8d4356ba1471a423385e62c1
SHA1001f7863d01933a08718ce0d284393d38ceb2f15
SHA256143c27ac80f6491dcc61e1bf77b81aea1f944bdf607eebdf0abcf5914f750ab6
SHA51248560c8acbc1ba79f728d9a408760dad013970863d887b0e9f68ed6f27d7ca568aec96b1303fa9657ce16a522d3d474620b48acc349d9e330b1c11ab5e3846d6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5439f7e09bb8176e8004577fcd1baf4b1
SHA1c9210e4df4a408f81e03c77d1e7363564783b815
SHA256653dd21a9da4ad83182eb5e87be036ba2b56c1ccdbf056874f51d261d625c159
SHA51229f535ed6644418c7c995d83fdca44e4461d32fbf333708d593ff1c78d5b8b1a940a5b40b363896a08cab860ab920d2b3a70a56f7a564b921ae579385cf999cf
-
Filesize
48B
MD5f3f71916a04339adf80b8cf71108840e
SHA188b4c2a3dcf905b1348e64f6573d13a65bbec452
SHA256b13495f061e7d95d736990edb061a709daceae65c9c1e9019cb7c21cc39a9648
SHA51272b949cab9940737794256f66a978b7c8d60c255b46373dc100cc1d58bcf5f8a3959c481ad141463a419ce891a4c8afce0ecebc003f0ef9c6fbf3c2c01f58d87
-
Filesize
1KB
MD510f5cb7a7016267639fd94c6d12ac032
SHA1d29fd4aae8939d1c77f93f689d1e45b1c0050116
SHA2567459f487b86f4d1f6bd421af86bda5c7c692bc4f4e1d217473dfda5a7cf30fa1
SHA512160f6ff1995b97ea8e8bd411586bb58a821f8e3e0bced1097e6430e62e8e5d7fc118d7493f9a9c4fcb87797b18cd6970e2c7b5c8a828201a23d17951b48a8c60
-
Filesize
1KB
MD5e94ad28ccaac662ca67e00168a7c25aa
SHA16e0ef0d7241b7bec39e8c928050f7d31b11f4bbe
SHA2562a6763d218f2adeb117affaaf03a34c4afec8ea2216a011abb49c0e2b5b682c5
SHA512ab8b0c708d1370d9416ed5b80992fcb20885203cd8d4ef8bad34b4dc199c3eaf50e30e9b62d51f5a4ecf1b9e1b3397f77dfe9144d26ec0e52e75e0d2805cd7f3
-
Filesize
1KB
MD5357766e68b2420f0efaec1d7625a02d3
SHA171187d5b86220eed9faa2d96ae8663e4802f6d16
SHA256f76306315de0c0185429b5c7af7b87c0c90bb46385e29ea54346a325b9bc58a9
SHA5129cbb8083edf8959586f595e6b16f07c57c12987be72eec751a8bac94df9eeffc4dd417748e053058de506818f279ee45c086457ce4aa93ecf726b12b9878b87b
-
Filesize
1KB
MD5aeb15c1475ef152009f0a66c6cf892da
SHA1ab1b9be54007ec68ec6efe0776bb8a71f9918f84
SHA2564b91f6486b4aed37641ef7d83120c5b330b04137b6b08d794455855a835f83d2
SHA512126d1bad01f7d0b83ca12d3569e0ce9b82c2490ebe15de9baf1eb3713d86c81b1fdf7ddc806c135c56c603bfbb5ae86ff52a0a7483b643e429f0258cfaee6eb0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5d2acf885e2e5352e92bee29a70a1be14
SHA18daa986c955a71b0ef77c1fa3367e80f5e0a1334
SHA2563c8597094d5b1e09d0f1929a852534635a2143040d40d26e962f3dbeed3ee2bd
SHA512152534137c7e4c793ab025b462fb87080c7a6e54df684463ead7095c5b9a684bdd858c9fc5a0819b1035c5e5275cc99f01aad97d00e69d4cd6b13893ad18795d
-
Filesize
8KB
MD5d4e383746e22f2de29b1ba2972be5f61
SHA1bfb563b9685440a6c9a64f78f41a287fabea37cd
SHA2562fd4326d6982364d9076ecdd94a48562a0b1ed926e1066a405e8778213e349db
SHA51202d10076d51393f706e09c61effb08d937a4ec4530703a1dd0c31e7fcc9071118e2065ab50862d9a17acf5748e2537fadd80fc25caac0c18565b432a78966e31
-
Filesize
11KB
MD53d47919a5151343112cd3d8f93870dc7
SHA1fe8ae15f9cb4f36ec1bf1a2d22ca9fdc4e9e45ee
SHA25668845e9d4f0d8eddc4f100d921829b48493d10c37c8fe7eae841a14676533398
SHA512ba148cd4315682bff0c1af1a374a3353c57f68afc3fe14b487be8afa64050b872d486bcdd72df888b16b70f0421e70b8b57f6a825fe1f50fa43682b864a5b100
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5e58787a4dfe4cbda82e82e4fc1ac0c0e
SHA15f76c0aa0010032c2d3ee5e4bab7580b30783671
SHA25651615e3ade1f0c9163bf808b32ab576cb2f8d494b511c6ecee09315fd8893aa4
SHA512c877e497e3a23161d2c3d6ed55b74c510d5075adce5542c9feac9cd7b4de26d8a0a5864caacd8d88349bb229562b14993249d2e85f8a161f3fd24d388779989a
-
Filesize
1.4MB
MD51aa3d037076d524ce93aa746f479e953
SHA1e57feb2ab32be514ca5ad4df1a7509b93bb6db6a
SHA2565eb5df5728cce0fb34e5790b678feea77c4b2dfa522aecfef3f7c738327f4701
SHA512c4440e0602910654978423b092dfd25028aded2542f13c1e27bbee6c711f818ab169b893222a1328fa5a35db890604df74a197c551bc41d9328ae9d18b445d94
-
Filesize
180KB
MD571e067c58bba188ff6991df61bbd3ed0
SHA194709e42db782e76700fa34606684f8016b9078e
SHA256106b06f2f1e28d36ceb766d6738e012952a364be425f117260e1f5a927636b1f
SHA5120bab9798913edb20c82271da67f7584aedc59569527bc4ba8d7d7e391b18179ebb7bb7dc7e2d98910a5d3e1bfc209664709fe13dc65426f86b44127959877299
-
Filesize
1.2MB
MD513819d2ef8f7f66234cc20afde10443b
SHA1a76abcaf910eb169209d9ff651152ef94d4e5525
SHA256556d7895f8f90bb287c0fd00eff4a6fd784e21e867d887cd6e89bea9f31ee213
SHA512036de462c3851e055123fbcc8bd532ce4eedd154f101267850f7992df0ecac26ccac821004b8493a2408f1de76b4c207e761894f5027e73cd8ee211bd44d6a06
-
Filesize
219KB
MD5c0ec4dd9c21915b44f2655e23aa50fd0
SHA1e4aa3c023576067ded7515f88e8782eb8a7af614
SHA256d84e1f98e3f3d364cb93e6cf4c9b993944be61ec5b674ff157711d11bfcb7191
SHA512a28ee2a17e08e995900596fee57a4c2361984e679c9a387735af92dd659b3faa527d8f437d7b3090339047b0e5be777113d9697992ae370567e4216ebb684c8c
-
Filesize
1.1MB
MD5fb9ec67282e955142284a5e26ff34f69
SHA1b93d91f57030aa7ebd78c1b9df2e89f3d0aaa274
SHA2564ea7cd1e48c4fbf1cb53e1523fa875227d41e8afa4a119e0db532e863c86af0d
SHA51222d9b20df0c03e33d2f4a9b0c490d8dee39ff6e6b32fed49ca565f4057885c5e07cdc567c11c997f23c5989f97b3dae5e75b1bb58dc20a7715605f51a53979c5
-
Filesize
1.1MB
MD5b0407079529dfd079dfa7804a3b0acf5
SHA1a78b6ff0b45ac4386daee3f0f8f764844578f8c3
SHA256fc2f73235d5125551906d4c5b962c19276ac46b943fc3575af399aff61759992
SHA512825ddac35d142a7afdd4b8e23ea575032ba955863073d6c900359862f3367362c58b5ad31a76182e301abf00ec85924f85d583064b35cf02d5084692744ed93d
-
Filesize
682KB
MD576133daf5123d791d05f3d6077b82da8
SHA1a49fcda04704afd6308f0a70ecd26bd93e728650
SHA256058e376103952b045ff8808c7b8f1a8427a7bb6d0a41247bf40baafd6fc8e31b
SHA512845fd4fb3b604d527da5a4fbd829b969e5acd280d3eeadb545325332ed9805ff50578d7ff232e0ee473b6c5115d0a9159d1e9daa67c8852995ed65ce93aa187e
-
Filesize
30KB
MD54f07adcfc663ae5ee5a051c471666cc2
SHA110c55d117b211a7df58af3b1b6c687d73d8d9297
SHA25680f8bf6f0da127882e35d77b5d8a4408db844963d26e479f17f62fef5ea904f3
SHA51298727b632863606aa7af8b2dc370f5886e968f3fcd1f9ae13959ef640279ee80c1475473dc3dcc7853236e652e8ec3a03753e3de5247945e57ebb5b1d81fddd3
-
Filesize
557KB
MD59886a5b5bb35d2fed26b537659042b18
SHA1f0b1a1e7a2c2a4cf28418d0e7c34a9ff65f90c79
SHA256f5e0abfbeb3e3787515e17feb68fa7257804b1b13eb93d42f1a19c0034a7be07
SHA512459bf851aac4b51d2872b72554f1f146e929cd604fcf9fb02d54f45bfe3b9ce88a07d62bafa9afaf2691ed2b084c29b067aefcc58b2782ea5c45918b2938a158
-
Filesize
886KB
MD58888c49aa48cf0ea1dc2be358624d147
SHA1055f7dc5635544ad131cc1331a59e866c9402ff8
SHA2561e111d314fae9689d28706c674c71ddaa6d7ecfc4df9d82560b4cc6dcb5a2348
SHA5128cb0c17f17baef58112bf01e14242b24ac9e300a0fe6083554b8a4aed029ee7cc7afb174980fec2f782fc2fa1fed5f3d607dac963dc6f4c636c0cf52a8d8e8d2
-
Filesize
1.1MB
MD5efef9300fa83ae3951a85b97a03791bf
SHA1f7223b49d8e14c9a0f197a5681f2fc01bf3b5367
SHA25698fe1103db4b9754e830af0dec07972af188f84418d0c6ca3f44d97ee3ef249d
SHA5124518b8b8d7acbc461f91570f2af7a94c260a9be12c6814c24dbc7ddf6f55dbb81974203249ed61bb7c2334468cd79ef26ad4cd33147a663ddf4aa195c560d9ad
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB