amadey | 5427bd0cc85e4e988825c8a715c5c504e1e1111d7053cb5c2357f5071ff5b59f

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
Size

1.5MB
MD5

3b58f52654cf24ceac5a682fedf56ea6
SHA1

4e012ff7eed34f394136e4490f7bc281613f84fd
SHA256

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
SHA512

bbcf48c981fdc8b9019a8388ebc7179474ee9896003431f04f1d978078837a06c22335458a0fd782683afbfff4a06dffa17f09e71513fdaf34e0872597461f22
SSDEEP

49152:CdCs0UvZJ3HkXkf+/1ZvY1qaKidaHjskUWQP7RQ:Vs0UvZJtf6qdaH5SP7

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1464-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1464-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1464-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1464-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/files/0x0007000000023311-84.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4400-61-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	5Tc5kJ4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 15 IoCs

pid	Process
5008	ab2Gu05.exe
4212	xR0ra48.exe
1844	gR4rB18.exe
2240	EJ9sY61.exe
3288	eH5es48.exe
416	1jQ62EW9.exe
4920	2bu2715.exe
908	3Ay80kJ.exe
1516	4HZ757cf.exe
2700	5Tc5kJ4.exe
4832	explothe.exe
2216	6Di5ea1.exe
1296	7RH4ca26.exe
3676	explothe.exe
1856	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ab2Gu05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xR0ra48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gR4rB18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	EJ9sY61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	eH5es48.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 416 set thread context of 2624	416	1jQ62EW9.exe	104
PID 4920 set thread context of 1464	4920	2bu2715.exe	110
PID 1516 set thread context of 4400	1516	4HZ757cf.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3452	416	WerFault.exe	102
3200	4920	WerFault.exe	108
1740	1464	WerFault.exe	110
1440	1516	WerFault.exe	123

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ay80kJ.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3508	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{C0B477D8-51EF-4241-A070-C086F55B7B31}	msedge.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2624	AppLaunch.exe
2624	AppLaunch.exe
2624	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 5008	3276	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	95
PID 3276 wrote to memory of 5008	3276	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	95
PID 3276 wrote to memory of 5008	3276	df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe	95
PID 5008 wrote to memory of 4212	5008	ab2Gu05.exe	97
PID 5008 wrote to memory of 4212	5008	ab2Gu05.exe	97
PID 5008 wrote to memory of 4212	5008	ab2Gu05.exe	97
PID 4212 wrote to memory of 1844	4212	xR0ra48.exe	98
PID 4212 wrote to memory of 1844	4212	xR0ra48.exe	98
PID 4212 wrote to memory of 1844	4212	xR0ra48.exe	98
PID 1844 wrote to memory of 2240	1844	gR4rB18.exe	100
PID 1844 wrote to memory of 2240	1844	gR4rB18.exe	100
PID 1844 wrote to memory of 2240	1844	gR4rB18.exe	100
PID 2240 wrote to memory of 3288	2240	EJ9sY61.exe	101
PID 2240 wrote to memory of 3288	2240	EJ9sY61.exe	101
PID 2240 wrote to memory of 3288	2240	EJ9sY61.exe	101
PID 3288 wrote to memory of 416	3288	eH5es48.exe	102
PID 3288 wrote to memory of 416	3288	eH5es48.exe	102
PID 3288 wrote to memory of 416	3288	eH5es48.exe	102
PID 416 wrote to memory of 3372	416	1jQ62EW9.exe	103
PID 416 wrote to memory of 3372	416	1jQ62EW9.exe	103
PID 416 wrote to memory of 3372	416	1jQ62EW9.exe	103
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 416 wrote to memory of 2624	416	1jQ62EW9.exe	104
PID 3288 wrote to memory of 4920	3288	eH5es48.exe	108
PID 3288 wrote to memory of 4920	3288	eH5es48.exe	108
PID 3288 wrote to memory of 4920	3288	eH5es48.exe	108
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 4920 wrote to memory of 1464	4920	2bu2715.exe	110
PID 2240 wrote to memory of 908	2240	EJ9sY61.exe	115
PID 2240 wrote to memory of 908	2240	EJ9sY61.exe	115
PID 2240 wrote to memory of 908	2240	EJ9sY61.exe	115
PID 1844 wrote to memory of 1516	1844	gR4rB18.exe	123
PID 1844 wrote to memory of 1516	1844	gR4rB18.exe	123
PID 1844 wrote to memory of 1516	1844	gR4rB18.exe	123
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 1516 wrote to memory of 4400	1516	4HZ757cf.exe	124
PID 4212 wrote to memory of 2700	4212	xR0ra48.exe	128
PID 4212 wrote to memory of 2700	4212	xR0ra48.exe	128
PID 4212 wrote to memory of 2700	4212	xR0ra48.exe	128
PID 2700 wrote to memory of 4832	2700	5Tc5kJ4.exe	129
PID 2700 wrote to memory of 4832	2700	5Tc5kJ4.exe	129
PID 2700 wrote to memory of 4832	2700	5Tc5kJ4.exe	129
PID 5008 wrote to memory of 2216	5008	ab2Gu05.exe	130
PID 5008 wrote to memory of 2216	5008	ab2Gu05.exe	130

C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
"C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 584
        8⤵
        Program crash
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 540
        9⤵
        Program crash
        
        PID:1740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 584
        8⤵
        Program crash
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 584
        6⤵
        Program crash
        
        PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4832
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3508
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe
    3⤵
    - Executes dropped EXE
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\29F9.tmp\29FA.tmp\29FB.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe"
    3⤵
    PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 416 -ip 416
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4920 -ip 4920
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1464 -ip 1464
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1516 -ip 1516
1⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4524 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2376 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5788 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
1⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=736 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4864 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
1⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5588 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6428 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
1⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6584 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\29F9.tmp\29FA.tmp\29FB.bat

Filesize
645B

MD5
376a9f688d0224a448db8acbf154f0dc

SHA1
4b36f19dc23654c9333289c37e454fe09ea28ab5

SHA256
7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a

SHA512
a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe

Filesize
89KB

MD5
19b35690fef22b53e35cb4620c110278

SHA1
40d0326f69fcb00feebb4837bd27438a704be293

SHA256
dbd44f7f9eb2d3b661b4cc1b29641771f18a0f1a799780fdaa692881e821b8c5

SHA512
37042b386e70d15b67059768f68c65713d34a8a244cfdb8bd66eaa3caaf0122d16a5ebb2d1630fa47a305c200463b4c2a2ea6dd8e87a9a6e3ed5f12ad641950f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe

Filesize
1.4MB

MD5
72e03d75bf021a1e1c28ff695d055e65

SHA1
4bf5e85f2cea24d2ba29301752ead08f4e3335a6

SHA256
4e82df1cf92a65295b16dbc6970198ae671c24fac90a7f652d7537f191014917

SHA512
de178b3877e6e91be15e47dbe0ceab6e0516789c0e8bc518efc08ed9549e8e365a11275acd30c7d469c957bd15bf57f7acb7f10fe6dc417c070dc6a6bd754577

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe

Filesize
183KB

MD5
a74799b632685d03258b15358c504f6f

SHA1
4ecc07bfb9529bca4802624b3022f1f5c1bfb0e9

SHA256
55ce1354cdacb4dec0dc86e9f226811b03f9a6319e4081414150a4e430e9c6eb

SHA512
2343190d7aeb9441e4790ef280af0e3a0dbb7902b5b1a7d3f81aaca360af71807af004cdb53ab608cae6cc821d236aff758e3c217032495c5d96fa5161c15935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe

Filesize
1.2MB

MD5
499e17320cf1e742f55e01f7eb92336b

SHA1
3fc2af18b4fdab29de2b69fd3ecda89c7d407e9a

SHA256
898bc6a3ee887af2d77e1d992a1f38c14e01fa69e89475a706b24e9d6a63e7b6

SHA512
67c26da5d5d6819d5a369a82ab6b8b7aa1b18d7fb7af7faa875392f0d0642551e815e22257680f6584ba528c0d720d40cc3aa21024bf6830942ee519c5669ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe

Filesize
220KB

MD5
aa7cc12b3dde7d799e1183153155d888

SHA1
8f394a9bd8a8e228ab7295cebd3309096309da64

SHA256
ac667d2b3675379b1281d8c0f55314b363c58628b9d7144ec032df1c6331dc0b

SHA512
0f2dcc4004fb66ebe082f449bb848acb643ec6a34d0fb152cba49537e2a277cd45fe603202d81c2b79016500eae030cd59f0835461aee86a3fc89f928cd2cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe

Filesize
1.0MB

MD5
5a68637c88b223f1fac3fb1c4ea1b538

SHA1
a655224147ecabbaf4d8bb2577156209b51fd9aa

SHA256
a5c6444cb47785f054f5b56131c7302dc491a3c6132b58790b8d31fd9837df16

SHA512
0df0c017d6d636a5ef348535968341f01fa7550eddf8ab3a3b45d65b7f5099ac9e5392134b2491ba861d68d0b4545b84dc8cef4af8931c41e9689e9b5014755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe

Filesize
1.1MB

MD5
015e607043c90b874c79fbb8d90eca89

SHA1
ff203ebdc57402fc379f5ad5a08f2538b8f72dd5

SHA256
d07bfeccd987516ff3d4b1bc4ce077a883ffcd939f579a671d157fd2d4517ecb

SHA512
67c9f170ff8b52a254cdc029f7ccb88cb83219818c08115c8742cccaea0cc05eaacb4bd894ff76b995b55864fe85feb25df024c973bee8643f08897906168719

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe

Filesize
652KB

MD5
e6e37e2474b5937c1a145f756f96215f

SHA1
4213fe56509f7abd595e50d30e4a73aacc64c9ab

SHA256
a20f06c5948ab7494affe351d0a576ac5740af4869dc6506ccd6a1500ab485a8

SHA512
0819e4326326e6c0f6f8fc96430e88be19caf87388faeeac8074cd4e417fb5e145f8ebb3538eab156783b0d59a0b8a1f307121cc9e631f998ffc12c6148ca738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe

Filesize
30KB

MD5
bc03a784fd2017ef45b2a287e5cf2677

SHA1
34340ea6b35e566d0f2679da52b771d05502047b

SHA256
52f47ea7d168e7162ba6acac451627775216b7761ad85a5e72d8c274d5703f2f

SHA512
49fdbdb52ae19d4939b875b2884467376bc2d21e64e828ee69086d0b78d3fe447f0a719742d0d00038eb4d3ae00d47af7a1362483f43f22c5f97b9aadcb6d8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe

Filesize
528KB

MD5
b4025db382bf54c40fe5db916e2cc818

SHA1
bbfe26d8397f215a1924530e2fb072d806dfa115

SHA256
afc4ef89b474589eac5a915c2d0d4581667b214fdf56c0169edb11b8998fc56e

SHA512
924deb510b622e7accb82eefaff33ac351b7a54e46ccc2945502cfe64f733e9d57bb3e6f2ff30884304808d01bd377b4c7a1406521f4c98e72071c7b3de8853f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe

Filesize
890KB

MD5
327aa11b65c9cbe127902f2ec75fba02

SHA1
458538e3618da2f69566bf654a19a3aca30d29a2

SHA256
fd4b9ba15bdb3f4e55e650a648830320ba602ef2bdd0d3f7a793123460229a81

SHA512
d3d4162fab37875565500b773595bc643c3a073a3154fd894bb50db370a09195b97bc1d593d3c2b007c1276608dc47328e41cf81401fe1c8bcc91a6f15a599d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe

Filesize
1.1MB

MD5
0ccf469c1d2932e86d4a8d0e076e0f1b

SHA1
f6dc4b3f9918e82cbf0e66de7240f5b2bfd5119f

SHA256
39f35aa3c665edd1a19a13d8e030e667399e917d4ac23f236609688b35755615

SHA512
ace2473b33424eb4f4cb1bb0110570fc35d95d1459f817646eec16bb333e9efa76aa3c467eff413c4f9531e1086bebbc7887bf8f2703dda13a7da0980029bf27

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/908-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1464-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-57-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2624-43-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-65-0x0000000007600000-0x0000000007692000-memory.dmp

Filesize
584KB

Download
memory/4400-70-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4400-77-0x0000000008780000-0x0000000008D98000-memory.dmp

Filesize
6.1MB

Download
memory/4400-78-0x00000000079A0000-0x0000000007AAA000-memory.dmp

Filesize
1.0MB

Download
memory/4400-81-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/4400-66-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/4400-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-89-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/4400-91-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/4400-64-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/4400-94-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-95-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/4400-63-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download