Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:38
General
-
Target
b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe
-
Size
1.6MB
-
MD5
d4d937fe82ff4a99aab43581fb89ec9f
-
SHA1
fe92b474f9c335d77cbc3a12be2a3e0677038cf0
-
SHA256
b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5
-
SHA512
521c788a60c2f60327f28d79e53699d47d24786b9aa3af9403d103da589459e2320fb751a9803686f74f50b204387827010a96cbac5bd45b4c6947827b919a1e
-
SSDEEP
24576:OySD8YKtnyEXKS+e1RpuiZU498QkiRimacgdx9We/12zCrzi/O+O1ajULtfT22F6:d++tAde/iQkUipYet2zCrz1d1ajk9
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe"C:\Users\Admin\AppData\Local\Temp\b4a8466ebd6ec25b836f3d0c5c54a633e4d4ec5ad8fd14edd57c14b239ffcce5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jF3dl08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jF3dl08.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GU5lD08.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GU5lD08.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ff8hQ09.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ff8hQ09.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tQ4Ct24.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tQ4Ct24.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dx2cC84.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dx2cC84.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1EV04Vx4.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1EV04Vx4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Qd9357.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Qd9357.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nd59wD.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nd59wD.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Kv029eK.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Kv029eK.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qf5VN2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Qf5VN2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bO3qV6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6bO3qV6.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\690A.tmp\690B.tmp\690C.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7XM4Ys25.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff962f846f8,0x7ff962f84708,0x7ff962f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7602248565068285052,13800309010860030578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7602248565068285052,13800309010860030578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff962f846f8,0x7ff962f84708,0x7ff962f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3308310852032281869,15389998809576596527,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff962f846f8,0x7ff962f84708,0x7ff962f847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,5516737794456883494,8788056435311123233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2440 -ip 24401⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
1KB
MD59c62c05145f55e984545d80c1a54fc88
SHA118021e99472e71536831417d25b149c06589b460
SHA256b267502eb65ccf88fb86740a09e204853df59059e05f2c177468d1499654f4b0
SHA51200080ee9be28e864f5cb86be63a0731d8089f4a30882e49f7350460be48b650f881db3407f04466137b89635e6d604be86cebdf67682d58774d08963887b321e
-
Filesize
2KB
MD517d82d9cf9a1a865169bdcd2f5762c3a
SHA161012641796d30440416353863fe3a23913a0788
SHA256a92cb9d417f9dd4e866406be794438d0877b9aabdeeb8f9eda25c651588c6c01
SHA512305e167d54e3379eda52bf0641026b25cf3191a968c5fffd0a6fdcf4145054ed29e023223f90d3163ff4d22610e64eca768d336239c1b7e26ff9caabe9d800fa
-
Filesize
2KB
MD584446dfdfae93e38856d2336469d45f7
SHA12e38b3fa5a84609e1e948d17e11d8a6a77597126
SHA256cb3fe0903899abe6a769ac4dcb2526494971b4a8de8e09d8828141e8ae34620e
SHA51218ccfd36e070d6580cc816b01f05bb8298bcc00cbba6c078f8d268ec4c44260d2d42a01143d5adb56f7a3cad5de377c4aa9ab5f849cc14d9b61be626b3e794c0
-
Filesize
7KB
MD53808ce9b47a479e8e87a4adf0fb629a8
SHA18fb1cf9a9abe343d476f1b0920f39bf165a36f99
SHA256699888d81d141a3b5d78d151c24a1cd7431a72d4136305513bddd40b7366c565
SHA51271fac6c38fb7e920a36ec309e56670515893e8d60a87c697e9c6de9986e870a6f6b4fe934b8ecc7b4eddd51eb927c35a5679e56e6cdbfd2c433e92d5b774e8f3
-
Filesize
6KB
MD5d6af9c60bc263a7dac7f3b884e6f874c
SHA1d04970c309afb8240214721f310252c052f17e26
SHA256d58407d09feb72386214c5d187fcbbe4e71945dcb253685ea05e521aaea127d7
SHA512882e322d662649fbb73b3eed5fb348ff242b26cff15145cac6b21d43eec5ff0779d1ee81a665c6ac084bbd8f9ef0f6a2df75f48f96322adc56d9fae086bfa0f6
-
Filesize
89B
MD54450cffbd5d1226399d09c402877da15
SHA1cdc702441c78f11f11bd748d19634869a8a64fd7
SHA256b0975fbe2d428339f8762ea90a4811970068791ee7a38773939b77c7b560d10e
SHA512101bc2e713389310fb6cc6bda9e78113640e0f53b0abf2d731d62627accdb629c96f4f0ac59d2355dc426236f1370f3d9d25e9d868f41f6584a32d77603e7a88
-
Filesize
146B
MD52c2ad9d3b8c907aeaedf3f6d357936b2
SHA1e0ea69b0250cb1ce66da4948f842bb955127578f
SHA2563832d24e77389e8ccc517e9ccc186ce3a15aa8ba42aff99c33365685804442bc
SHA512cabbb96daa6cce990beaca283fc3df1a20bea9a60a310592429233663cfa8899fdbdb22cd2ea67522f15dfcbb066ed2841d172b61c5beac0f5e64a3ad23226d3
-
Filesize
82B
MD5539ee4968f3399679bb8983b620de69e
SHA1b1fc663a998b74933de7ea376841259fb31eaba5
SHA2562c39f68c30a6e09833473572bb4627621ae8983bd43043b8aa39f06e329bfbca
SHA51240f0f5adbc7a324723fe0b1ac3ad37d4c74792c17be9e67111c6b9cf42746d7e05235149df9434a8e893cd7c97659319047186acbabea8554a6a146bd97bda08
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5a273b515464996c63144f9eef8799f59
SHA1882e8a8b36a54c47d297c76136dc40b3569ec7e9
SHA256f531b675df815352828e8c34f410c8b3f36b27fd117e4cb4487cd03878fd9822
SHA5129d131df519e75aeed188ff994e5b9caec9099bf671cf641754d91c230e0dc0675dfac4cf87acf8f37002bf4b53dca9f7fb29abb2320a22d0b9dcbd7da5a805e1
-
Filesize
48B
MD5742f05ec2554cb90916adc4cd4464abc
SHA16535687e274d0b63bd33da7b226819e93a4c139d
SHA256e51359070046566ab5e553eeda5d47267e7c5df283b25e085e0de6066465dbec
SHA5121a4a70831e6673dd91e11f2f07f3af6783c2f62ff2df3a405fff13b87645c0432884f6fd360ce90ebe46fa51cb857ea9080892c96b4fad50cc54f00dec54e552
-
Filesize
1KB
MD5ac40025338fa9df3206bb555b08fc9e8
SHA1e55c8654d77870c1ebbd1f599050ee557fc96f2c
SHA2567fbb2f882b0a28c10fe16dca88e719542bfd2c9f7d36ed843d88273baf2febff
SHA5128c52a6f0b1917d19ff536d2d6ef153573d396109117f7ea75c5d5fd9ef4d3e3d827a0eeed4e0ad19593f7769b4159ea7754865c7bea3b95d8546dcad494982d6
-
Filesize
1KB
MD5cbf474d034c9d44c181ca8247990d46d
SHA142f9959e8d9ea92edf9ca9b9979cb2eb46068918
SHA256ed2317157c6cb1ee62c952bf631b2aed5100dea003e55d420028e1b9544d53d3
SHA512a508ce7b0a195130b0f5b3f7c29b2ca3bcfbab60f295f7dc7874f251f9753d8ee1b23b7a9307cadbc2b5d42e86730fd70b23abe4196ed85c85efe1d7b82f576d
-
Filesize
1KB
MD51a1496c8eef5a6115546d23d4c3690a9
SHA1f39276d71b311284a59886c1dfc318a5d075ffa9
SHA2562be7ae797014bffdf19ea3053b6d6373ab5c032efb5cdcb7cc164397490f343b
SHA5122904a2d8a19c191c5116a399500befc321b15b9a91d17ce461731c59a774bd3ee8350d3cd9ce0507c66389eb1f83bb301a3227f08481d160c9f4fb74e7e10751
-
Filesize
1KB
MD509a80f246070042ab0990d6bae553a39
SHA122e3ee02b20e3c033b3ced1714574cbcea18076f
SHA25609107f391bff3681746622816f3e0fe2a204a53d17f92e21a71a03d41dd2f811
SHA512fd5bbd355d58e825f40192a1d0020215d0eb6c37a9275701b36465f18255879b6135908f0c2142512a1589d4d62033548b2adb59750eba7bebf34fb1a9bd08e7
-
Filesize
1KB
MD585cdda741be7a8a89a7c599f24c0f58c
SHA18eb4ffa95c40c1fbaf40a177935cc9edd5d4a8e5
SHA256d724fcd9f3af9b9f907fe51fcf696a5cd37dd37089c8030177f25761b17d0778
SHA512b06c7a1fa5d7fe314dadac5ebe4ea343332be552b314827630c391aed877398f07df0d956bfc25d20d13b4e99cffd86ced8fbbf05cbd7f4b9f62298edf4792ea
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD526f3e3e192072e0025d5c4e153c5a1e5
SHA1383a7a181353d0c8c903e3e0139d3a68dbe30472
SHA256ef59485b6151f430999359ab94e13a451221ac1c1948c660ac958b80c77e80c6
SHA512a2bb8447f56bb5335c4683a5bbda5a84436565ed231e177088f3d92392beb9fdeaa798d5f811f6c010e871f0d42318a14baa043b1a3568acae22d1b03268e6f0
-
Filesize
8KB
MD57179d101909e6c375fb652eb2dcb021b
SHA1a934be4755259a2a987270e6fcbeb682df16a65f
SHA2568ab3f2c51f7a1733f840716ecfa57a810013662f2215938bc5e27b18e8b44656
SHA5120e730dfc5ddaf158fbcba3a92c7a92f3a9e4ad2f29dd4b1189d4ba304c8523992e171308e1fd859e2bcd7b8eeffcc526ff3d2b6672c943137ea8281db5b19ff6
-
Filesize
11KB
MD5a6962546a2af20cb0c98ac8fba202423
SHA1e783473316cecb311eb3348b83614aa5d7a6100c
SHA256ad5a80c3590365b8e127225e92d254bf03dbcdf0885855190ec3627c22234b31
SHA512be172c88e6f0e4d26a09ef9aa1f88318cae3ef89d05feb1dd44b694440e6b3286583c2458791701205a533bd082523d99c0dd5451efe520a810b66dd53deea0c
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5ec083492f9f0b17ce4f7402eeb9e0dd7
SHA1fa7f2cf93fb07bd003329ead26c63cf1e8ba4299
SHA2567b1ce8561335c18331ec3e591b13f478896a5dc5c699de8660c105a4a22dcd5e
SHA51287a8b14fdbed7d0adca32c953c70ddf84afb3fe05a91d3ade7b3e08197061833ebed50f25f2f1c6e214e0fd740cb852543e6fc6ba58d0a0f00f150306f08f545
-
Filesize
1.4MB
MD54c53fbf14494b6cd45493944018118f2
SHA1fda4ae283b70b107ef5f9ceeecc54cdca76bab88
SHA256d661fa15f79f8248884a2b9e5a229a8017393ddca4791abb4850dc4b178a422a
SHA512e327d3babc443502fed3f78a3e29dc8cfacdbbff4bd4629ddfe8512dd2ab0e76ff6317e7e610a3898be1c71f5d27b6e8935200146f575ba5bd9624282f8b69b6
-
Filesize
180KB
MD5dcfac39d20d74126a22a10f173d4de4b
SHA13c9b1aa139a5b72e103b08f93b0f7cc3c536785e
SHA256256895e6954ade36dd2e510e96cde8ea732aa36ebab655682ec49531dedbabfb
SHA5126551cc3a1a7186f7b8dd33df07dd6d39e43b034735b4b7bba0ed92023c9eed08e15507b0368258d6d74c6ca169bed2f7890a6a40a0b054d4507a60b970cb5a93
-
Filesize
1.2MB
MD5fe181080e72086313526413ff818f5fc
SHA11d7a9641824497c0eefd970fb0a54d38108d8ebb
SHA25654dd36e249cbf6e5f54c3309158b929f864ca2e349e7812c8aa377eb0706e48f
SHA5121d52513b60f76c331928ddad81f17ca621d03b33503831554afd62e5f7fa1aade3adba14059531d6aba5c9e8f7aa34c99678354c3dada3d3a74dc28ae4916388
-
Filesize
219KB
MD52adc73cc227264a2b2cb65605e04ddd2
SHA1d8f25c99f0d39b01e2dbd12ab1a8e559f2701458
SHA2563855c50036648f2ad569d7dc85ede5bd55e0ed7b8ec45ca108cbc321c4c1272f
SHA512fe4170c1058396e9a259a95f1c8960abbaa7a6189af60149ec0b467a5038145daae751d9aa44ae07f5566a7de52038c4315f71ffe4340609940ea7bf65ef0f12
-
Filesize
1.1MB
MD51d9d511a6d2a8743d15242a6a35e71ae
SHA13db17ee8cfd1ee01f4d26bd6da4564e6bf19629c
SHA256302990e72db4d6a9bb10cb67f2c9e29662a04c64a963a44e43e7964b93779ee7
SHA51291ddac4a483ecb994f05effc5c155cec7f85e50b2f11444fd9807a287e40a5bef700baffa260ff7fb5e946e9a039e38828b8a54338a0e4803a98f48a20f65ad6
-
Filesize
1.1MB
MD595917bceef5fca8716f25b0a44c6a081
SHA1190afc3788a4d9efdf440a0ffb7c5731ede3a6e6
SHA256ea54047b72c1fe2e67e639b88bebc27d71aeda525dfb4f5ed8cd1c5d3225a57d
SHA5120e17f462126c7db9e589e260ceeaf94848856c82a8404806725b504bb2ab6214df957cdbef10902439df61daeb8585596404d5a61a76d92d0e0343456b0ff070
-
Filesize
660KB
MD5b2d5c98a2cd42f96a2aea6356ca89e08
SHA127b13c0e76240dc50068094d19fedc1c404665e1
SHA256e9e2131227858b984af0d80c5d7899c0776c0ede43ced95ad546fa4bae1598fa
SHA51277090b0efce8ab0cee36d4e6b7390301fbad2d9779142f4e56f26a554aca92b7fd5f20afa74b2ba25b8eadefb02aa48e9065f7524d4e3c5d82e382ee5cbfa231
-
Filesize
30KB
MD50088d891f0ccafad63181e8dff1e9575
SHA1b5c09cef3d91a010ceb2da45edef303e0d7e5361
SHA256e8ef41e2a49a71b66681d19dac104d5f45bcd980d3bb741c929abd3d6bebba4b
SHA512658239997d0eac78ba03bb6b57e3982559ae98b7b9877d904fc84e9bf72898ca9d5f4e70e9ea7361078e3e764d6a1b231582a92b7b862b63a1fc117cd7b4e51c
-
Filesize
536KB
MD59ef8691532e800852481defe770c3f06
SHA181c0ba8094a9be3b706acc0d9d381d159c1fd4fd
SHA2567707ca8b641aa543df0696c298916e6b0105484f66e8485f922a2f962ca04075
SHA5127c0d4cc9100d0c3aa8d5b90fb9347e184698c56aed89123a073bf1e20a1657a2e79db7453c6eab40624afe44a2ad07b70134082f85086b0b8872b0b3d2d6c457
-
Filesize
896KB
MD531dc50bb7773755a0b527415d04064f2
SHA1ec2d24de207ce4f31bac02db633e1fa308173c58
SHA256b59deefdc1962e108c7c124acab2bd04c57436e09ddeaa67d521a5403c10d2c3
SHA512333d6e21de76a52b0e7a8e8609bc444ef02b714ba4bf66786485796a24b4fefbd9ce4251d4c5417a2df4f7fc8b46b2333536142d305c4d3a63bbdeb6c25695e7
-
Filesize
1.1MB
MD53fcddf95e9b7166866a8462b7ab3e502
SHA13fb56bd3a7bd3a546be7e72d1cb31c7923817cbf
SHA256a564ebbcfc4b309723e77e39ce633a68efec5ffbd883d9c7a2f1fe58f54f5fdc
SHA512d6f961937a72420d60563f455fcf0d3a60922a3252bc5fa5f599094c5f99aaaec3e9549ae86029d964deddf23c860fdd202079387f1ea8ae013532b4d9b1e7ac
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
36KB
-
Filesize
36KB