Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:42
General
-
Target
d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
-
Size
1.5MB
-
MD5
f3cd6bba4c29ed1c18b64abeb4e7b5d6
-
SHA1
b021ab8bb5818ea679feca49aaeb134a735a8982
-
SHA256
d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4
-
SHA512
3881ad760075d5fc765154095b2cf33c6b873bf2a0bab26f3a5815f8ce74f98d5f38500684d5541b553eeeb7607ddad0dcabcc01d531645916d28784d8af5e40
-
SSDEEP
49152:b9oWtgy13P2xA/bJOByk2SfIfKsMfTtUIEw4Gr:5oupP2xADJOByoQfKsMr6j
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62B1.tmp\62B2.tmp\62B3.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff064e46f8,0x7fff064e4708,0x7fff064e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9820643795979987906,10460145749675660629,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3664 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff064e46f8,0x7fff064e4708,0x7fff064e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18436011665864704390,10388924627145067278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18436011665864704390,10388924627145067278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff064e46f8,0x7fff064e4708,0x7fff064e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1342573789263654681,372730185444257714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,1342573789263654681,372730185444257714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4444 -ip 44441⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
1KB
MD512af24cfecc011e39f08cdc96d4f2fdc
SHA15dcbb5cedb6f4d68c3f245a7f616a30a695de3bd
SHA2563e4fe117b24593f95ea2914b6fffe1c71393c668398aa84225aa73b106e37f0d
SHA512e6d5c7ab528e5cc1ff39d1111babb377b0702cf6638d5dd14b432a6017c12040ac71c944773ababd9d466e5a4e6a1ab07fb7b876c4f8ae487b9f65ae7be991eb
-
Filesize
2KB
MD54b188cf4dc0997c4a396ec08ab674d4a
SHA15e998e4a52a5293f7ef7f57d567083607f5dc755
SHA2561f5223eee95db660e23d41a1aa0faa7dbdc9f885e809699da8cfdc884ecbcec9
SHA5121f2c2d4ea1f21e4e0fd41f1e3340f1d04df28166ecfb4a51e62e0428ac9d4b188cc41631ab0c8449a77349ae55d8ab58dae5e7cff703feab7c11076d9a208dfe
-
Filesize
2KB
MD57a1784827092b94f40ce27a9fca41074
SHA106a810f3c01bd2e395ea4acf5448fc4829826c54
SHA2565de31c38b07d128e9f8bfbc974f6df03d4e00f1aaf2b7ad761215d733ae8d057
SHA5127defc13a316c903fcb6ac8979744eb01e010a0ea5deeae2d76df984cbe137bb676ba6eecb37c4aba56ca4024c4d1645f885b70fc633f366ea6bf47305e0c4d18
-
Filesize
6KB
MD5c5d7cb6bcc9ba344e5c7620a7eaf1d7e
SHA19a68665b64cd22de851472092691a94892d662d1
SHA256e7f8b7cccecc5b79bf617a5ee3bd87b0d291f03d7d5a04882434aad71f201cc1
SHA5121f6e26d8605df59cd31dba0d466865f75a183c0752880f01666c44e0dbe426dcc11cc908cf3c3c6a0acdd592dadba7ae352bf5371b3a4eda5a12361672b965ca
-
Filesize
7KB
MD5f71f0750c00742809d245857d054dbaa
SHA100dfe5c6e6ccf04d74d5dca88f28db27ad4a7cba
SHA256ec292017f2ceaad40b6539dab2a66cbecb6e0348fc9fd031390962a1a3d1d773
SHA512a5d01a48e320bd3200ae04e7f921c31ed95df05394f4ad6e982d51bb9d99f8b69a2e1976af07cdf2b4d777a00fd019c9a756a95a99240f372fc4b02af7db80f7
-
Filesize
89B
MD598165040763513e0e7033ac336f26c35
SHA189f0ae9277f81f7c8df079d3ef1e69532a6d3164
SHA256d296970bbee5561f611ab043583f7af12e74f843df0038f3bbe96755f18cbf98
SHA512c8a67288297a9de732db47ded37db763c4dc0d571e52e42f9baa7f22ada850c2338a9acc55b20e4b2700e6d197f3c5969f6b16ee572a7e6bacf4022060e9d06a
-
Filesize
146B
MD5804d0b63f4c85326f152ec2f649f823d
SHA17e0ab7735c730bb2ecdbb1a433e3d528bd39ed42
SHA2561c5c7742a67ac72c925d521a5ed5c6f8cfac3d7caad45b6c304ff8976166545e
SHA512fdf176fd5a15032dc364d63aa1aca21cdea74c1717bc3650f5dd6581da9d11b5df89e0259415f71ca61cfd483e5513f7ad11d820dbf22dedc1d291b11341bfdb
-
Filesize
82B
MD5a4c45c7275ef43fd5ddfd2e1f9511dd3
SHA17bb0bed863952446e80daac0d12ed9ad49ab4d39
SHA256b236271fb3e6deeccdd9d5d12b7e203f962e246f6bc37f55f9c10f95c874fbca
SHA5126ee5693bd0d6b7db9362d68b030b2859dfea5c7ff89cad25926e904c654742d99e4af72767a7b6dec5103516209f035a6620ccd8f941e2282cab7b978ce2a728
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5b87fa9a4c41bc16f5da3a306e1b24af0
SHA1e2a19dda100befe28bc7ace52f5d616b5e3c661e
SHA2568243723188c952d1c5faae8410cf6a70816e0f7d86fda6d05fac23e416eb2ba2
SHA512a5e3c9b5a58aa08be660c4118f6da2c621c212f95ecbbe007ec4bab5264b50bf4164eaf77dc0957d68b64fae7933b237cafd8b2293447854d941b6e9d722f13e
-
Filesize
48B
MD5b9282c7ba44b1ade811eb99e971e894e
SHA1d99072c6e24907c2c4132d1252efbfe35b50bc0a
SHA256f36f6eadece4c436e7b52d6e4aefafb3e88038f0211dff8b504a3c9f300e8462
SHA512785820452d037ea91b656fcb3692dca64c5e04cdf009e8297a0fc7a23eee874409bb0a7faf4289d26d85bd2db888c949ad3f70b328fc84d82b1ad2cb79bde0ce
-
Filesize
1KB
MD5fcc359b987de9e6ffef41f6702fea1a1
SHA1189544c10defc3fdf9dbb292df9ff2102c5de293
SHA256c64fd49890cdae188035ff652987c46ae399893620459035d142b0a3abb6ce2c
SHA512f4099b1854ba1986b81c2290e239793fa2662520b3c3f3f94984ca20ef79c355d3ab79261f7c89682d1567fd3157f02cfa843ac745072a357c18648de830c454
-
Filesize
1KB
MD5318991356fd2f47efcbad5002d59cc7a
SHA18bc2f9fb4d26ed7bdb3e846ba31c4528e6b99d85
SHA256d25d19944e0d2feab57bd374d714f6d7e4a93a719dd6aa55644d802b10599b28
SHA512e2122f60d042f9f65bec10b4ce55e9c3eb364cb5dcab007ed32d761a8583bddc86002d47ca70662dd237da83a134253f2a214e2c8cb16d13eaa7d18509399f5f
-
Filesize
1KB
MD5102ea9c5f74618d55aa82e65f16a6827
SHA122cfdf8b8207b2f0519a16cb611e8edba6f88b6d
SHA2569e6cd32a0cdbbeef34b93905dd4fbd15a8323c4ec0d79624fd9b4a7f4c0f6805
SHA512cd208dacb408f4d3628a7d49f6155ebe211f9c8a0264a36e523865ea044662f79d976941130e9c9f5aa5cbd889b700369550b66731f815eb8d818ae10e775df5
-
Filesize
1KB
MD56ef5039ce7804212bdaeb15a914ffda2
SHA12157e7878f6ae03c336c51ef4a00e7f14e4dcc52
SHA256277b46b6aa6dd48e6c3692c6eb6b814d9140a7a73ec8142d439deb57c20f9018
SHA51290f67772df14b2f38fe89ad7fa1f19de5b06941c407db0dab5cac2fcf6552f77c00a764a53d515f9f8d943e370caff9025f03bd50618cfece078dc59cf52c7b3
-
Filesize
1KB
MD548a3f7c58590390667d4b798524f5a60
SHA176883825d15e0bf501f7345c2eb338a816c551f5
SHA2569f2b3cd1bcda45662fa69428adeec351ed4805871afa410b05a7f0b0ce528486
SHA51254b4eafaea527d1b8e9b2754d19c58f89164677f361a087dadd5c4c0f7116ed77b607d0765aa7667f5a06e1ffda66587254a77a936aa6124122cf5cccb6c9324
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD544a13f29c2e3ed05ef79ffa8bef6b362
SHA13167f92234835687331e6d057ceb4f085000b96b
SHA2562997a57caed7ce7865e21d7757e0addd932238a5c4c5f5189adeae7f59d43c76
SHA51222da2f5caa11b25a8dc324da3c9a064030d0bfea4341536d2c14155ad1e4f34f98a8ccf18f69a6b62ee0f81dd16cadb78a20c3ed81963e93b80366bbf515ec37
-
Filesize
8KB
MD5711541dec202a23017e4fdaa58dc9ae2
SHA1995ee8d071deeb09b05e3718baee43d58929f447
SHA256db566ee1c67e05bf4c7419141f13b33cb62493a2f3891961efef648e1e7bee11
SHA5123ac751a54c70f6a2b40db1fdd519db05decfcfe6bf6078c08da3562bf6088274c085818d531d25182f6ed6aec6550283d386b0e32066341a174b6e076348ae3b
-
Filesize
11KB
MD54a957bd7939164d24ea2b9b45b329578
SHA16f709a9c9db11c9dbff455496894f0c350ca60d1
SHA2560425f428720afca03ee4e162ced88a8d4cb90dcbe2e44e781b08b8b89708dd65
SHA512564e967d3838ced2a6cb370e84e5739a38dca55f337b87b588215ed090ba3eadf24e6faaf87b2cf9f3434aa2d8184ac39b91747db07fa3adb1862bebf9f5cc24
-
Filesize
632B
MD5401dcacea4acfc09e8774cd0fcf16129
SHA1ae03b7999297b5383785eddc4f6194fd4c80e149
SHA2561d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6
SHA5127c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5
-
Filesize
87KB
MD592b82c490c282bf2b09268be9b629732
SHA114c07fab8aca1f8f41936f1217478a25beabe3a8
SHA2561f4ee8b00682f5dd5bf0c95162897566ba5ca1c4443cb252c7559687f3b78273
SHA51274f70859a2c9372eb079518a9ed2261180263542213d87ff9911926d282f87548e8f48ecd550e574992907e23597b6ca1bcd2438cc6796b49588a2a93720b27d
-
Filesize
1.4MB
MD52e20a2d7c6194a7cbbdda4d9452bfa03
SHA1bdf07ff1bc943028fa77f68edcee9af66605cd5f
SHA25634146b4c86a617d559fb0012ff0f5afd04927a97143affa9419ea71e5411f061
SHA512037de372946426dbbf019a01f171b39eb67544a620188a6b0735233f8e57dda0e23a9f4765df5bec28ad7a8c5de7dc9ed420f09b2784d809238286a1265ddeda
-
Filesize
182KB
MD52eae4f217dafb0e02f5d37c44ae2a652
SHA1414b9875eff592c656038f38ddcb12e8064f744a
SHA2569598973b13a014ad884b46c7494a0392a36270e62a365803f9eb1438b2c19f4e
SHA5124aac7e26b26223cb201b5e5fb581c1e2eb32f8877a1eab582e181695e0503be4a4e545aa326dc112e7deafc1ef2db2c7c1ed1968339cc89b96f2f1110aa637ab
-
Filesize
1.2MB
MD5121aa508cbaf7060c64667863c8e9389
SHA1fdeaba571f6e72d4fdb77631579f6d9bf5356f18
SHA25695036dd4a2fc22e08a063ee05b13441b1a9df0d93ef4646c16574f7c460eac3e
SHA5124ced304e8f2c4662a216a8fa2a36f42ebfbb6fe4f9d05d273f111943ee00a0941ab3878ec5d04cfac688ad4149bdacfb8cc729da9ba43cd3c16f13c64b5eb529
-
Filesize
219KB
MD5f65f417183727d8ef72b19a7ba3435c9
SHA11ba33b32beb0c119eed2ce54d16a92342577f37a
SHA25632c97705475e244c65dff0254525ab7847555bf05082db2395f05db2e125bccf
SHA512abe8a29652953dba6b86516890eb0253ef6bae0aed39b92010873ac25154246acd1dec5858036015430d8ca27fe91031b6ba031d0488cce396d1cdf539a7fd0a
-
Filesize
1.0MB
MD54703ba737b5cdb5519cfe63d74fb3dbc
SHA121096b4f846b4d7aec36fe953de2007d27d33db1
SHA256a53869996516adfd7af5610a409584618d747d1386139e632eebd84df93ea612
SHA51246a42fb2aa810d07cb4048cecc555f8bbb1d13cebf9d486011f5e8f53369fd72e522fce28aaf09a4581ea70e6044eac97cb1b4b2ab73d7a70bc2781815750e90
-
Filesize
1.1MB
MD5a4865323ef36cd164e7a023f917433ff
SHA1ca2e62e99540d345da483514c50edd4af13705e4
SHA2566a42355d8aa58d2cc8c78092d4ff0da6ef3293674ae518e15c71d1ae10cd1c67
SHA512575b0cd897c88af2e03897f67123e3ecdfe8c0eb6cbce87d603520a1d748f231792210671d950ed900858bb0f84e8a9770030d96f3ed69d7964e566a357eebba
-
Filesize
647KB
MD5160a38e156d9d16c2842f119ad0acb7b
SHA1137cb4df3f0a3a711bb24841585f81bbfff781c1
SHA256a4a88dd47fb2c0d47afc4cd467cd98b775329552d605d92a369e8a192600a5d8
SHA512fbcbe0437f1c5a1b2f32a0ff716c3701fc577df48267fdb6c85925ba750cd006723f8716fea1a547edd9bb932bb00589013f9cf026475ca6798c271f278d6077
-
Filesize
30KB
MD52f9257e7bc6fb693d58e213784b509f1
SHA1dfb07e903b57d6b26c219f31c3c229e316425899
SHA25636c7928fd1c4f637fb4ebb75c5e491ec990d608bcb07adf59644947e46e21150
SHA512fc37f43d513b8a719a9fe276f5a084aeefd6ab6e3597d1279bdedc11805c9e1dce956d1818d7c9aa5143b71a7d0de2c6b4cca2ba09ed10de3165314320e87ac5
-
Filesize
522KB
MD5dcadef184d3ca1c2568441d3b0b06b12
SHA1c7ed42bcc082a3b1f5fb254185b603cf948022b7
SHA2562e38b54b82570e519260902146b594aff77a694e956d49e6cf93ddb466163fad
SHA512dcf3b732b916c1b518c01267cfc330988ad5f5f24646c4b43dbcf488a4c76e417eb9033728d1579eff70bbf63a4411729a0bebd4cf24c2360cd8d16c5efb883b
-
Filesize
893KB
MD50e56e59513a4b1d1eb512e8187ec7ab0
SHA1992bf232b6fe1c8e363818191c267f7ce9a435e9
SHA256bd2bfabee2939f8bca5de7472b0fc90b6ca02f0a1db275b0970b32a53159ea5d
SHA51293c4e5da3877442774658a5f516447c8debe2490a969cafea145e67d0572ee0f8c7d3031c588a04d42aa1b769bf5661f31086986c4a0180393b08dd8f9c34241
-
Filesize
1.1MB
MD592d270ad52299d83b23749f1307822b8
SHA1bf40dba809684b1f4994e52c057c2579cf943b05
SHA25636c4eed0f2893a3326ae8c2a20e85000356a95c67e0dafd7093b19619d6c8f0f
SHA5121e296b8531aa153461c0de6e401276815efcfee0f66a031ce718d634b771476b25b38fbfdc006a17af27368ee7b06f60ea4a1de156eb21e693f7a24069438828
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
584KB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB