Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
02-04-2024 13:12
General
-
Target
d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe
-
Size
1.5MB
-
MD5
f3cd6bba4c29ed1c18b64abeb4e7b5d6
-
SHA1
b021ab8bb5818ea679feca49aaeb134a735a8982
-
SHA256
d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4
-
SHA512
3881ad760075d5fc765154095b2cf33c6b873bf2a0bab26f3a5815f8ce74f98d5f38500684d5541b553eeeb7607ddad0dcabcc01d531645916d28784d8af5e40
-
SSDEEP
49152:b9oWtgy13P2xA/bJOByk2SfIfKsMfTtUIEw4Gr:5oupP2xADJOByoQfKsMr6j
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"C:\Users\Admin\AppData\Local\Temp\d9aeba44fd243f348a360f2a92265ff08c698b52b489fdde0bf879770acc38f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG2aA85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur9dw34.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ca6bB94.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hI7ot99.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iF5dw77.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ip14dv4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zS4859.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 5409⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3WE90JK.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4TU265HS.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5fz3es5.exe4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6lk4BG5.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F83.tmp\6F84.tmp\6F85.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rh1LM04.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff532346f8,0x7fff53234708,0x7fff532347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4064596361432101869,1154497503037331056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:25⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7fff532346f8,0x7fff53234708,0x7fff532347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2596495310556929070,4180572545390218700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2596495310556929070,4180572545390218700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:35⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff532346f8,0x7fff53234708,0x7fff532347185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10714353411800794091,14164656694551069039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:35⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 19961⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
152B
MD50bd5c93de6441cd85df33f5858ead08c
SHA1c9e9a6c225ae958d5725537fac596b4d89ccb621
SHA2566e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2
SHA51219073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2
-
Filesize
1KB
MD5e9fa7812c7dd1651e5d540eea482efbe
SHA1d9032e1e5e760c1679af73b6149f620e936551f8
SHA256023b7f97e3a6ddaf98a3769dd7626e41e0d31269a4b51ab8fc1a45b523e84b67
SHA5127e37fe21236c60606bc38137754a90f52a04e06dada32a40560ffcd1d30a9e18cebacbf3e8651dd5e8ae99647b217377f88d08b3caecbf1ca8fb854121ac3b14
-
Filesize
2KB
MD5341c60ca1f78a4e2a9fb8348bcde767b
SHA1f341a2b4efb2171be43a66ee87ffebb53157b9c5
SHA256d020791fb1632dd2aeb7106f55acd14d399222fa3dd236dcbc150809bb03ca92
SHA5128cd953494442b8734f607bbb176411dde78256f35762442e6b9425de700073bcf405961f6b1e55659b3635feafee3c4c98eb298e6c055e6373a8f7d4f175f21e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD583215ccd85434ba5245ac5a55119b6f3
SHA1d66e1dd4ff9b0f9a37547e0907d067f69f708a97
SHA256462fb09b995e22b691bc6fb9ae8a2a1cfc0c41699523f541b40ea44a1d4c3322
SHA5120ca0f20bc15ff2fd628b979bac6daa1fe5c37e6dc881c006804e88293e576192a8d201624e3f6b82388aea2a0d23c87a7bc4838934ffea1f648bffdbfcc9b368
-
Filesize
6KB
MD5f45f8f1fe145e941f3f329e6f0223a68
SHA172a375e2dbbc84db74b0d66f44ee7a969aaabe5d
SHA2560b2ebc2e8e1b3aa467c75fb0edbe117e83e0a2310460c223ad8d190d2102a678
SHA5128b7a842f3367992ea5a535300984ee46586e85a68a30b76e33ae3bc66ac3324aa497fe64dcd647585a812a9ac16d4f2adc833493e47eedee3378325ec261fbba
-
Filesize
6KB
MD5bc4c31be6775082a1028d2d76e921829
SHA1a7d7e61ee4cd546c1e6f6545d857e24ff7fb219b
SHA256e30a68cf56a53b15dea8b7d267e0ad709826adc1cbfe750ca872d4ffe5da10c2
SHA51210092124219e771239a67d0b426ba1286fe3209abb44c28dd184c4f9e0e2a91973a0c7bddefe36090978298c6a596a1155765673e2cd4af92692c5f3b292a059
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
89B
MD58d528dfc1196d0c0613259760cb6a2c9
SHA17234d206e6ae009f0af981e156d6b75e0699d5bc
SHA2567e9a2be5e46b81c879adf8a13338a4848af082ab66e75f6b8b46a76013e405c1
SHA5120a1a69b2eea5d8fa4d86e75887bb79b4ff01d6587489be651dc27594b1ffd27e84a1d44dcf8d6134cb890598c4b0c7a65d4d0b8f281093df9907788f1b9e80c5
-
Filesize
82B
MD550def5c8c862a506f0c65e6462206122
SHA1540fafa2e7f47ea5e38d409e0bcc1f81f1a8ca6c
SHA256d0b707dd30d8d6b8f402837a4833d90904cf5d788d149323ba9e029f615e2ccc
SHA51202bc1ddfee5d00bdaaca55ea4c8954c1cbed3b4338ebfeeff658370132c05f98c6c5fd57239e2152600f70e9db7f6df4c00b020ecce4862e730777a60b58d406
-
Filesize
146B
MD5a92816243424cd90a77710f2bc147d3d
SHA172d21a63f19a0241f47b05c4a36899d754dfa880
SHA2562e716577be02c31fe0f15cbf5ab2db0e05849440742d133fa884a4bd2cd1b9d1
SHA5123c0160b183c593eb74a3732f0eefea60799fe3d999f5f2c659de5cafd2cc1d4bae0add531971fd02162d4c3c9e033e74f3269d49a408b367da20af6f40a2096c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD557b2b78ea4cf9479e16ffa861064ce8f
SHA1f1aad23544e789bffda49e7e7be4f88a0986dae8
SHA256f2a4b7791a9ec9c86d6bb5e895fff3382a126e46ab780d8c5053fbdb7d1a1441
SHA51281d420d530f075cd200714dda6a01af9e03f0c1597ef560041bfb4843ce441f50dd81c659363f341651f0121178ddb8502f588f9ff0148e51bcca8653e1034c6
-
Filesize
48B
MD54eaa00c734829b1e58a2f88534949b42
SHA1a4a4a9f917f8a1299ba6e1307f1e3816178ec83b
SHA2561ccb8a8982ed3546ebd6362d6ec64dc963a33f7f11ca15959365a9c496364bb5
SHA512d41c977ac2b673c248dd98d0a2e6c5fbb218ed364414e7f5a063080fdbb70f93e4a87daed74e29465481ce20276a5458ae5ad74123fa006836fdd96f2f28aaba
-
Filesize
1KB
MD55681f5ff615da80042c93f19cde54044
SHA13dac8c159b96788f2dd9b8bfc85418d2a6b1246b
SHA2566a239eb981a7eeb85bdf8c951a0928287e557ed1d5662bfbfb08a27b79f217c7
SHA51239731e2cc0b5d221e79501e4cf801680b68eef3da63e9879981b07ce86b6e3426a7d928792354c689cf3875f97769deb134b3cba3822d5bd4dcd2d4ce0688aad
-
Filesize
1KB
MD5e9ce49ca7bf18efa229fb97d8e38a1fc
SHA1de4cf37528ad6d98a2eb2aa7f887ad13194c1817
SHA256f417efd025bece344538020d61597fe6510d22c4e931492206347e9cdb21e2df
SHA512e7d4294e09dcd98e0b5c81283c1491f6d9863282eca9585b5eda3ccc7b58a661ca1be0ef8d66522c56099289af0d7dc41375cbbaa5ea04912f31070ad0e3b31e
-
Filesize
1KB
MD5d861a1fc97c4f2712ae509a0997c9989
SHA1bf85b5407dc4cfbe061ebae9c86db9cc91a2a214
SHA256b2b3b7bb08e35000c981a10c24ba63ecce78e3c5ae07c43d41f77ba530dd3577
SHA5123c4d7da7975515fc243c20a9860b893d61ca8396f7febf6bdf4b9625abd6334adbaf3e50910e574325c22075362105c0ddd422362febbb54682ac2ec59f317a4
-
Filesize
1KB
MD54f29609c660bd371f797fe549d3dd144
SHA17f5be78d92a37a5c6d436d24d80d11a4c58f7902
SHA25602d14551ac2eb8907ac269c8a296f58b220dbea0898720358550fc77a0bf5b08
SHA5125561167b95843b2f5608223f9dbb6a74e920d71a6257d1d0944715c2ede3006830c61caa3ea050ab4d4634a6b9118b767e718d2cd2ea080187a0cf4613fa502c
-
Filesize
1KB
MD5609407f9d8c3f2cb54abc420334e46c7
SHA1ecb2f3a1722a8d3a92f88903ce91d700e8321845
SHA256b5b7a081645b76ecb1bf77324504473674b75f79582eecd40e376ffd4c7ddef4
SHA51291a002f36f644d8e0a263155e4b6384d919bc3574c37230d117f5a9382f82c3737a60366889929f0055bcd9a05bd4a959a252e46686c2d9c7b96abe40620009e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5f96a88c3742db44eec2d9df7a9fd2f09
SHA1d8bed1dc5a452d90c65db66fd4cdddf361abc3d7
SHA2563f7ee6fca851bf61e4e2c3752bdf9576f90076d7844bde4da3f989057c6c85d0
SHA512d63a8262a372b206412fd28dec872c4830340ac8bfcc97822bf1791dd1cb1b69150f4cb2d4de119eb27d5381fe9201d692689390e73363ed8f8cf99130492104
-
Filesize
10KB
MD5977c5eee63a69f8564e115f980726a94
SHA194436e425b66b40bd216c1b602e07bbef8aac01d
SHA256aa180c2e911e484dba1a7b8a9c29dfece4e9b3b3b14ef9b65d813fd391fe2e75
SHA51243a77884998a70b924c31734fba54657fd83249fbb1497287434e0a2f51f6743cb7779b04bca50c037c385e7c9dfd1951570cc225b0e4430b6770730e68ddb22
-
Filesize
2KB
MD5cd3b9f6d8bbac7bce9b1b5683469cabe
SHA18b78a1e39b37aec8ae8ad7a5b63a5e784baa499e
SHA25670e1b265dfc0e0bf91ca79c29fa8ba8cba32e252066d5a6ca62ceba48ccbf89b
SHA512ab0b0203064eac11ec5322e9a98a0c0203cf861ddcb1c9e538b4b215c1af6db046a8c4e20a747809f9797b70d4fb868e19dd0ed5dad0a8b1d940aa8c96e5b3fd
-
Filesize
632B
MD5401dcacea4acfc09e8774cd0fcf16129
SHA1ae03b7999297b5383785eddc4f6194fd4c80e149
SHA2561d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6
SHA5127c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5
-
Filesize
87KB
MD592b82c490c282bf2b09268be9b629732
SHA114c07fab8aca1f8f41936f1217478a25beabe3a8
SHA2561f4ee8b00682f5dd5bf0c95162897566ba5ca1c4443cb252c7559687f3b78273
SHA51274f70859a2c9372eb079518a9ed2261180263542213d87ff9911926d282f87548e8f48ecd550e574992907e23597b6ca1bcd2438cc6796b49588a2a93720b27d
-
Filesize
1.4MB
MD52e20a2d7c6194a7cbbdda4d9452bfa03
SHA1bdf07ff1bc943028fa77f68edcee9af66605cd5f
SHA25634146b4c86a617d559fb0012ff0f5afd04927a97143affa9419ea71e5411f061
SHA512037de372946426dbbf019a01f171b39eb67544a620188a6b0735233f8e57dda0e23a9f4765df5bec28ad7a8c5de7dc9ed420f09b2784d809238286a1265ddeda
-
Filesize
182KB
MD52eae4f217dafb0e02f5d37c44ae2a652
SHA1414b9875eff592c656038f38ddcb12e8064f744a
SHA2569598973b13a014ad884b46c7494a0392a36270e62a365803f9eb1438b2c19f4e
SHA5124aac7e26b26223cb201b5e5fb581c1e2eb32f8877a1eab582e181695e0503be4a4e545aa326dc112e7deafc1ef2db2c7c1ed1968339cc89b96f2f1110aa637ab
-
Filesize
1.2MB
MD5121aa508cbaf7060c64667863c8e9389
SHA1fdeaba571f6e72d4fdb77631579f6d9bf5356f18
SHA25695036dd4a2fc22e08a063ee05b13441b1a9df0d93ef4646c16574f7c460eac3e
SHA5124ced304e8f2c4662a216a8fa2a36f42ebfbb6fe4f9d05d273f111943ee00a0941ab3878ec5d04cfac688ad4149bdacfb8cc729da9ba43cd3c16f13c64b5eb529
-
Filesize
219KB
MD5f65f417183727d8ef72b19a7ba3435c9
SHA11ba33b32beb0c119eed2ce54d16a92342577f37a
SHA25632c97705475e244c65dff0254525ab7847555bf05082db2395f05db2e125bccf
SHA512abe8a29652953dba6b86516890eb0253ef6bae0aed39b92010873ac25154246acd1dec5858036015430d8ca27fe91031b6ba031d0488cce396d1cdf539a7fd0a
-
Filesize
1.0MB
MD54703ba737b5cdb5519cfe63d74fb3dbc
SHA121096b4f846b4d7aec36fe953de2007d27d33db1
SHA256a53869996516adfd7af5610a409584618d747d1386139e632eebd84df93ea612
SHA51246a42fb2aa810d07cb4048cecc555f8bbb1d13cebf9d486011f5e8f53369fd72e522fce28aaf09a4581ea70e6044eac97cb1b4b2ab73d7a70bc2781815750e90
-
Filesize
1.1MB
MD5a4865323ef36cd164e7a023f917433ff
SHA1ca2e62e99540d345da483514c50edd4af13705e4
SHA2566a42355d8aa58d2cc8c78092d4ff0da6ef3293674ae518e15c71d1ae10cd1c67
SHA512575b0cd897c88af2e03897f67123e3ecdfe8c0eb6cbce87d603520a1d748f231792210671d950ed900858bb0f84e8a9770030d96f3ed69d7964e566a357eebba
-
Filesize
647KB
MD5160a38e156d9d16c2842f119ad0acb7b
SHA1137cb4df3f0a3a711bb24841585f81bbfff781c1
SHA256a4a88dd47fb2c0d47afc4cd467cd98b775329552d605d92a369e8a192600a5d8
SHA512fbcbe0437f1c5a1b2f32a0ff716c3701fc577df48267fdb6c85925ba750cd006723f8716fea1a547edd9bb932bb00589013f9cf026475ca6798c271f278d6077
-
Filesize
30KB
MD52f9257e7bc6fb693d58e213784b509f1
SHA1dfb07e903b57d6b26c219f31c3c229e316425899
SHA25636c7928fd1c4f637fb4ebb75c5e491ec990d608bcb07adf59644947e46e21150
SHA512fc37f43d513b8a719a9fe276f5a084aeefd6ab6e3597d1279bdedc11805c9e1dce956d1818d7c9aa5143b71a7d0de2c6b4cca2ba09ed10de3165314320e87ac5
-
Filesize
522KB
MD5dcadef184d3ca1c2568441d3b0b06b12
SHA1c7ed42bcc082a3b1f5fb254185b603cf948022b7
SHA2562e38b54b82570e519260902146b594aff77a694e956d49e6cf93ddb466163fad
SHA512dcf3b732b916c1b518c01267cfc330988ad5f5f24646c4b43dbcf488a4c76e417eb9033728d1579eff70bbf63a4411729a0bebd4cf24c2360cd8d16c5efb883b
-
Filesize
893KB
MD50e56e59513a4b1d1eb512e8187ec7ab0
SHA1992bf232b6fe1c8e363818191c267f7ce9a435e9
SHA256bd2bfabee2939f8bca5de7472b0fc90b6ca02f0a1db275b0970b32a53159ea5d
SHA51293c4e5da3877442774658a5f516447c8debe2490a969cafea145e67d0572ee0f8c7d3031c588a04d42aa1b769bf5661f31086986c4a0180393b08dd8f9c34241
-
Filesize
1.1MB
MD592d270ad52299d83b23749f1307822b8
SHA1bf40dba809684b1f4994e52c057c2579cf943b05
SHA25636c4eed0f2893a3326ae8c2a20e85000356a95c67e0dafd7093b19619d6c8f0f
SHA5121e296b8531aa153461c0de6e401276815efcfee0f66a031ce718d634b771476b25b38fbfdc006a17af27368ee7b06f60ea4a1de156eb21e693f7a24069438828
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB