Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:42
General
-
Target
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe
-
Size
1.3MB
-
MD5
9e812f3cb3b6bd7057626dc1f8f40df2
-
SHA1
768b2df69ccd958e0865575e10f42b98bafdba21
-
SHA256
04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f
-
SHA512
69f3903c483f01f1835bf54f52c78c25dc62ca8f24ad3020c754aa44230ac3bc55eeb1c6cec18b7511d23aad33f56ada18ce5875d67b07aa144de9b6013e5156
-
SSDEEP
24576:uyENvyaKYUdsbl1Vtkig+4xZCUVjjEpB1eA1cOTYDXaVKpHky:9SPjb/8dDMUVjkWvOTYwwH
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe"C:\Users\Admin\AppData\Local\Temp\04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk4dS63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk4dS63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ik0iS59.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ik0iS59.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qI5yO02.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qI5yO02.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qz1Kj77.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qz1Kj77.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1EE79Gx9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1EE79Gx9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB1958.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB1958.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hC15ix.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hC15ix.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qt187YU.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qt187YU.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cj0UU9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5cj0UU9.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\448B.tmp\448C.tmp\448D.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6wM2wR2.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc2cb846f8,0x7ffc2cb84708,0x7ffc2cb847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14715401477034792456,13655493337976699413,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc2cb846f8,0x7ffc2cb84708,0x7ffc2cb847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4844128711104244338,1726198316964381225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4844128711104244338,1726198316964381225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc2cb846f8,0x7ffc2cb84708,0x7ffc2cb847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16784503307021509944,2244519427224297275,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16784503307021509944,2244519427224297275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
1KB
MD5cf1c652394fd4943204fa8f383fa3d78
SHA18d0623a745a56a0ff76ffdac5835198e709311e8
SHA256099ee17f646e3f30020827270f57cb3de6046df5df1313f7b41ad343cebde065
SHA5125df012a7fea0ddcd06fbf7d0f6d4422d83da7d92547eea1f8e87e5c4e240007066afc589257d4cdf7083925b8e74f82ca9ddabe6073d32bae2194eaf0e2bd11b
-
Filesize
2KB
MD5ba42de59a2499b4d74e698feac15f112
SHA1ce5e3cc42bd06474f4a461b5781e5c65d12109ff
SHA25645366e5c42d8735ce13ebd6e85eb876f4b6661b8fcbb1f382e01a69289b4b3a7
SHA512374c4a9fa8427666041a65a6b115f871d18f3f2752fd482bf81a9c7edf4e41cef583e0069bd74e5620a82f918fe1b531ecb95b6aee3e3c0c2e06ade7288578dc
-
Filesize
2KB
MD54ea582efef727889205cfdbee3670432
SHA1e1f5d8dd4283eedce68beff0afe8b6cdff368e73
SHA2564f51da51108bebef0d2098e1e6f8420bd8631fe9543bb7657a72287380b15e67
SHA512f9367e7987322f9de04a2da3ced6498113433606c109e8aa90c89823909e1769adf0f57a7cfe5ccf7f3d721b92cf1f02be10bdc9ba89e7a77782fef2fc7aca29
-
Filesize
6KB
MD5a821d550791c003d3883a2202d27d410
SHA16716825d04e0d5d91bded6752ab2610219ef7981
SHA25642082db72d3e60aa469144fc84366733a036b1b47c3199c98cfb57a743152f47
SHA512c2fc027dd3ff8b615c765874386b785a70c2c9e67b67c14699c75799079ff60e81f7d78e976540e0b8a063e0c045c39faf752bbeaad649fef5bb85eece23f4a5
-
Filesize
7KB
MD53127a5fe1b1fbbb40b2d68493dfeff24
SHA123ef608808fd5ba92fc674dafbe257b3f936bbe6
SHA256b260ce4dc367153cf7766169c47e67d73d5475dda60441350801f4aab5790f25
SHA5122d864cba48609396290ef8e19adcec99bb3dfe3554583b24588009b30e98c937732b804719101296530a4d220bb5a59a05246d499d11d5fb178b932e51d42df9
-
Filesize
89B
MD590b18a381f17003ab6d8ac5f99fdd8cb
SHA1be6784a382f4ba1d0c1376538be8561382f3cd63
SHA256d4891484cd74417f496c1bca7b5f6d5f0105bfd48f743b9acc3ca705b9b08c19
SHA51286af7daab1e5386d17840f6de8c6965496b08889f59f2e8cfd12ae6fde8982396bdbb2d992b0e1af26f83e132bd3d0bdc3dbb5baacd343396994fc427cb127d0
-
Filesize
146B
MD543ae6da7548902a125630daccf5dd62a
SHA10fbbc641e295acbb685d85338c9c2a49999220d1
SHA256c0cfa9e6e2155fa40be9e06d789efdd22c700160cfb719d36e7ad4b07bf90c7f
SHA5125e3d9c408f260fc60c7795201cba4fde274d7590d1a213f38ec2081dc41e2610f9b583f76e297bbbde35338a093b5985f7d30074de3762615f7719e0d3e6fd9a
-
Filesize
82B
MD56ce2302325e4351b336f727d263c4902
SHA1f979045d26b4b402b01918994d736b0cd904e07f
SHA256c92d383e382854eed25ee5f7b8b554ba076f107f6fe47168b8f995717db7a204
SHA512a2475407f9506d97576c83df35edd9a2a490036df3691aa0712b1baa5af552a95fbf8c5db66de73645b167442e3675226caef28d9f5c2e817a1c7fcb45856ec8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5a9d7a74427ce73ca19c431e441983d02
SHA1136ebbd353dfd1857cb31943f014afaa41ace9a9
SHA25686f996c3fd4bdb9dcb2fe9d849938d7decc28afaddc9c456b5ef5b40b6176b88
SHA512a8188b385541863ce89e57a663933fcc5f464b62187bea054035d0afcfbba23aee82fdad880117c433b709377474b27e78f734b00dfd95108dcfb152d8bb0034
-
Filesize
48B
MD566cbdcd16a1a83c98e2b5e5fc647f067
SHA1702644b986d6567e8de9ae7810753dcb388b006e
SHA2568043a3e1bc0abb7f823592c754a7edc1cb6dd6b7cbbbe0eb040ece22205cc97a
SHA5124fba3aa53e6e18eaab28793d451412a4ba6fbb9ce43197ee35e58b9bb875cd8bab51b1ea877fd62368abf6c164df89e4736be1624d57786238fab0645a5dd697
-
Filesize
1KB
MD5776668e8c4b508901b8c82b02e91bcfa
SHA1d1464f0a4fc0a8fa56c913ecc6d887d582418553
SHA256d2d5a40c267db04fc9aa0d865c3016ba8a4e97d40fd5975fb21e4d329055c4e4
SHA512b8a2e5ba4b3fd47e3c953ee5f14bcb3b13ffecf93c81034bd371d2e5731d3db876e7150c853dc07f82d43567a619fa68788e254c5698fde846d4287174690606
-
Filesize
1KB
MD534c9aa5a87d45b8e294fd169dfd85d2d
SHA1859a8629052da658300446384245592cbface049
SHA2569175fbca43304b24c905e1d912d6b5b10493ef97883622fcbc5f83eef69b643d
SHA5129e41ea486e963230157d7746731259dccb1d3c205f960238b2fb508750a7187969c24bb212c4aeac8933cf3074668c324aa375d66ab69f6b71939cba4cfc1d21
-
Filesize
1KB
MD5684193c06489881612fa11c9cca51bbc
SHA1fda197760850857b8b7faf6b49620228763a9837
SHA256da94062936b2454524ff71c210a0129141de90e121565207623a1bb0cf1ffc79
SHA512ac12f6b102730a423f5a46d7a710f6982a7e6dab3eafdd4a76a40d9e8b284a6f6318356de62cda7b5cbb7b6c057c4614f3d94b852aa3ae4145ad177d00fd3014
-
Filesize
1KB
MD5fc98ff21ed465fa6b95de6c952b3f0c2
SHA11f19797fc17f2496edf837a79c16dbb29d165152
SHA2562af1b191512199e203e8b0efee79c84a39b7b4c92f9dc0c709de8b792e8fab4d
SHA512173e5a64d9116acc866a5231a2ef903dfc2a64d5fb52951d393616e3c94e8c68d22e05ca122d2abdea7d362cafa2612c1c1311cd0b7577b1bc5f53201d6435ba
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD58e4acc89d47c6edfb0330749930ec525
SHA1d6e13b392165f54457ddf7a6149814a40abcf223
SHA256497d0e22411e4cf06eb97da24e778b0de671ce321b37f17e0abc68b0152c3d30
SHA512acbfbe2a7ffc6346df4f2ef4e1e58a98fe006432e5392bebd19a77179eb982b1f23fb782a18aa5fcc240b1cee3bd05061aa5337c872912ba70e35928f29003c4
-
Filesize
8KB
MD5136e6dbdc80c2757b2232cd7e9814716
SHA10100d1c572b263b730955e0ad734115125592d53
SHA2564e3a9dc619bbfdddc2545b3adca1656bb9a4c021b0d864be906b3a5754ae29ec
SHA5124f75671bc71327c8b35ea834e7861639c4a6ed829db957911e4e7b12113088596fad658fa8af8a38f90aeb71e3d1de3cfde3179c0f3e5ec1fbbdd93644fd7db0
-
Filesize
11KB
MD56e970831c61073deda37687c76573e82
SHA1b543bcc3336ba096f2ca26ab7bb50c545a98c0ec
SHA2562466538affa9d8fd563674ec20e8560fbd7b06cbe4c2d04f5cd330658da55519
SHA512b1a0af3d5440b645c54fed8ffa68f564c06489981105315d8c7fc4361f3915389bbbfe8436a1533d44e80fcc883141b9b2aa48cac6e15a528e4e38fff2ed4dd4
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5c156478ac30551df648dcec6983d346a
SHA10e22d46e3096c9567984a2dff5e6a0788b42892e
SHA2561037c68149043bbd84cd329aea94f1b40ea955e9e14cda7b3d724d7581212fdb
SHA512c7912c78302936c61c203b41267e96dd93e3707d4deb26fd4579a8ffff929d6b25e3e46958305eccfe3f95f6e9606992ed4ec60b7c457587269cec0196fceff6
-
Filesize
1.1MB
MD552579e37aaa34ce41bea033cc022f6d9
SHA168b7433eff101182f196f69c4db9aaf776869aff
SHA256815f6331b2583f1ef0ceb33877b8375654a74a9598e6112ffc8b7cd7f38a793b
SHA5123a8ff3767e5982f7b80f3c26063c98a47467a98edce15b47d75a3033f853c29bf9f7ae6fe2a72d99cda775de7e48f30eaef1b831a9ea0565574228b75e834923
-
Filesize
219KB
MD5592fdc333363c213241581b9ace2ce1a
SHA13fcc9c4f49f3b5095fa3130215139b48f318a51f
SHA2565596aca585011ae25c053fd1e63a34223f5028b95b30a9d3f208403fa7e6c631
SHA5122aa074292014d761dfbee693abb9dcf85001df965ee86ee23383d6ac86d40a9e9c3302b186cf398bd9853b29d1c3d3448be2c8a1cb8df0a3c7be75d5fac75296
-
Filesize
1000KB
MD5e4bae8bbfab0c4652462777f62c53bc5
SHA14ed3dd73dc909cc4f9088e866edd8fb69ad63fdc
SHA2565b5673ad664d510b16f8cd52c97666ab3545b87ac0f8c67498bb46798e93877a
SHA5121eef3d35b8152766d3c97e9a4822a0af299e786123c096c159c08655ef0509da409544f1ef21b5d0d6fbc15b03bba8b8924c5a6320f9b1d157add522745946dc
-
Filesize
1.1MB
MD531f18bf9fafb9df9d2576f21b839f207
SHA15bed8e92928e77d8273237a6ecc101c971de415d
SHA256adc7109c762674906da495c5f918d90fab4cda765ec6bfc5c0959da138452c97
SHA512d71e18e56a599af70b308502a70eab8d6d76d589602b642f2a61b1b8a2534a0fd604ea53b82fd35f68e8bc8f5dcc6a18fbd55f46d17d30ab70db933bf0ab1459
-
Filesize
586KB
MD59ff69d782be45c75bdc58db2a6f6628c
SHA1c37051f31ded347a4a7d7816d3e0be29edd106f5
SHA256a2254994f944b53caea6bc4fdde2119219dd69abcb2e3ece19ccfb50656b2e78
SHA512a3d2a228b34428b12ae6bb5ebdf5a5b55a3315adb8dbd1a8a2e062e7087b116d89c7e64e90ae00cca01c066601bad6755c38d458eb19eb26c50c71912996c450
-
Filesize
30KB
MD504e8f9ac5d5ca5686ec929e8c4aaa18a
SHA1488492ee94c029314dc7a18474e586c621408c79
SHA256a88fa27616123790bcb403946d8c433504c3d3c638342d163347ed7ea062f961
SHA5122c3b6cdd9432b692196c22c2c33ae32a62d7f1af74801ad4baec5fc05f752947bd099ae50aef3805dff41f04acbca7f518e2b52541b8fe9f0e941b64e37230ed
-
Filesize
461KB
MD56850e28a3bc35dd3df0228698f4627c2
SHA15efb32a0fcfee39273d560b4990d3d51a3787b0a
SHA256d8af55ce42c3248a1bf90f81a5e0ae03a37a5e9a02c03657cba4f6370dcb72ca
SHA5127f85989b6ea9cf3914870cbd9255542e4fa3b64dc882fae821f69169009830fb42c29f7bcbafa7a4a465922f9bd9a584c592e3aa9a389e056bfc6059afcd9847
-
Filesize
886KB
MD58888c49aa48cf0ea1dc2be358624d147
SHA1055f7dc5635544ad131cc1331a59e866c9402ff8
SHA2561e111d314fae9689d28706c674c71ddaa6d7ecfc4df9d82560b4cc6dcb5a2348
SHA5128cb0c17f17baef58112bf01e14242b24ac9e300a0fe6083554b8a4aed029ee7cc7afb174980fec2f782fc2fa1fed5f3d607dac963dc6f4c636c0cf52a8d8e8d2
-
Filesize
180KB
MD5417acd301766be35eb9760efaa195bcd
SHA15e1f1cc3368eebc4a2d9e9dc3c72434e8342094f
SHA2564504d172c4067a74a6c4baca4dcd5f217764296998fd67956587bc37e225c342
SHA5123e9ca6b057f2c68ec9900d9abe41a391e28b84ddcfb80d20499a299eb98015dd02c2a43c614c01357b1233953ed0939cd7460b0e6daef5c0e514efbd2fd88f60
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB