Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 18:33
General
-
Target
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe
-
Size
1.6MB
-
MD5
8730beb5e0481f045236541cbf84b0a6
-
SHA1
8e44b7bd8462feb51c116ab72cf6bb460f2c5ee4
-
SHA256
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
-
SHA512
2da9d6a2bec2b33332ae4c0a5739cc5fd19a4c2f011bb28f3c69eed8ca654336c570526ffc7b2530637577dce49e98a54f3512069212acd0dd16a323242c8b40
-
SSDEEP
24576:GyWdCALxR5STmSCSGz9FUkJ4RNGAWei3u7A2Lj2zPYTf8tAjbg:VWdCAfISSq7TAQIA2Lj2jKIA
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe"C:\Users\Admin\AppData\Local\Temp\e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pq7dB96.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pq7dB96.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR2Rl96.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR2Rl96.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gt7ug08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gt7ug08.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OY0fx68.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OY0fx68.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dY4qN56.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dY4qN56.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gb93pY5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gb93pY5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kz6190.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kz6190.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Mj79rp.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Mj79rp.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bZ649qI.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bZ649qI.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hB2my7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hB2my7.exe4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Cb1kI8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Cb1kI8.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\536F.tmp\5370.tmp\5371.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffeb4d046f8,0x7ffeb4d04708,0x7ffeb4d047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17939002448892190396,17433571113691517198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17939002448892190396,17433571113691517198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffeb4d046f8,0x7ffeb4d04708,0x7ffeb4d047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5712 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3674841780691720962,7067522310981043642,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffeb4d046f8,0x7ffeb4d04708,0x7ffeb4d047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5287279248430635822,6200912414802757578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5357ae8c05a32c7bc4a44bd40f7bf0ec3
SHA1f8d31b81421bff2076707a059de83b44f5a046aa
SHA25693e36c0078b296665d4fd1485509934830d799a9f96ad91f75f570141f4c5993
SHA512072377b907217ab3f8a58ca7835e598929d09c4ba17a032978cce5a27fa76989ca1484d1803da73dec00b7f5c003d8589cf035b1e869dffc1120c6e7c1d943ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5a00398f74d8293fa1bc65263de84f2a5
SHA169d14181cc3ad84b6f6093ee8badad5499afef7f
SHA2567308abb235b76615d36be51a557a63d166090352cc270988f07a88af10cff885
SHA5129036a54c1496b4a30ee2ccc090895c81e543bfaab08b5e1726755aebe04f578bbf13d57e4ec20a493f71f09e9f53470f07aa28059d99b39ed89d4576f9ee7104
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD50ef64f55d0c0b1f90a47c4f8da243b38
SHA121615928b06d328f20f188f2fe55771f21c9d7e8
SHA256507b57f198d3037745459ef990e154ecbc93de158e1deeb3207a8fea209c74a3
SHA512ce3565628cd8c74853b2468577d747f6be56c02638d332702f0f6be3bdc0c79b0a1b6a414e6de8217d00b518be166d5d18f764a00f6798c49d4290b3cede6887
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD546f7345fb915ebaa8e87193b6f0c77c3
SHA1703bb49debf065ca0b1436900f5671da84f62247
SHA256a3edbc8d4a836142b53f3da1c6691df6fb1cb91fe29e0d847a4dd61520486116
SHA512e97b575bcd63c025bd0783baca1c9dbb2e99691842f6ab9bed2d3fe8ba997d4915a221438f0d64ff452f89a4c02b1751d42f53f35472bc6c969e1de92abb15b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD531873de1b67cbac5e8410b5c571b3fd1
SHA182fec33b99eedaed07a03779ef50d156d3ef452a
SHA256fdee8648b2eebd141215aca88f2d930da3b4ad405077f7b8493ed1e72f2a0e35
SHA5126c140e78bc1e6c6b32f8db51bfcf74598548788fe42739971379f4c1041e60c0e5c1a96c5fa743345ea86443e5362a6afb038ea7d7c1ca8114852f625b504f32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5e334d82e3c8de144a9dafdaeea732836
SHA1ca35e9fd5fadc1758cfa492b6f7fa33b6fe6f0b2
SHA2561871eb2bd98154c5a01d596d9e01004c4c355451e95b67e9945aa66d6787544b
SHA512dade57edee1649eb8f0e2c0f008439f94634438aec62623aec1d59a4d99705c977d72d5dccd0479d475c574b291f60269e7a17f33d1b2b3e49292e0d2df84740
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5f8632fddfa56451a2ef0765482d5ecc4
SHA1c228509ae4dc0433ab289611841810a22154fdfe
SHA2562395300e61ad67242f9e9698f972b5beed9690b06526c6e28c751f342d384fb1
SHA512d42c472980b229ef445fa593a9dc89495ada23d8ebf8f4c6c339f9de8a3dcb1d2647a48b3626b7e926de06ffb12af39aabb40b32100bfa23f47280ca6110b20b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD5669b7e90bd92784264e6cb54ff1b4eff
SHA1ba22f39095d9b287ea940fcb9ecbf9990d32629a
SHA256d7f9468d3960c0cf0dd3ad714b6950a0c9341f056373b565384294d6850458c5
SHA512e8d7011198a4ff30a22a849edb5dc5a0407d47f4ebdf23e9b2b4377d925a67c6af336f0e3a36ed8ce7ecfedadd80fe74d4b40c80565e667c50f471cf5b970640
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5937d18aad54daed7c84da6aa9aee1326
SHA11a6d1cb5b810ce7101203ffcd8fcaa50b232a8c5
SHA25613b9de7a51e45d2d1722f84529ef2b9a7a9521403e0f3aacdd728c79a575ac3d
SHA512b73d96c4da81a7d96c9938d921f2305f62ce411a7d79e16882be615df4baad04b0593c9b552ca81a556443712d814a62d6865cda218c0af37766bdc26928e9e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c19a.TMPFilesize
48B
MD550e8627f43dc9302e77a7430f955bdb7
SHA1e4f4db3b1f46cb1938ef6f3974c990ed54855c7a
SHA256da5b6ba04d7abf99fa669562eafa89d98a729d8481966269d836828e147f1856
SHA512186bc4db105b3f4b06f14850604196c89662bd57f55315b3a47b546717b530ad0b8e1d513fd41d67a1b534b124442df3e40ce4f6c9aa0227e609c7e82b5547a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52b8c96a53964b3dfa4860f8e99e05ade
SHA1240f2f7b1d712b799e7bc9dc21c9c36fd45e446a
SHA256a6de4e5f2625a4325d133f193ec6639513d2002bdd80f947824d7f42667e16a8
SHA512ab5b3b82eb85c3e31c49c43d316650c233d6d183607cf791efe1f6be673c978d035eab7e0335501aa38c66b1c7af492eafee1018f84429f2500e121ae777330d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5941334c7ae9b745b6d311d3953a3c751
SHA15150d7fd08062717a712fcc91686eadfb5ec7125
SHA256a6d1a2f8ee7e847d9a48f523991a6a65f536aacfadbe2f964b77d48fed8d2d74
SHA512c932094558bf7177d4b3317446757c8aaa78124bbd037c8860648339e523b858a106606edf818149ae5cb0ed52f7371265495c81eb4056a5986ff213a015686d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD56f86e5ead873b26fb5bf3ff1a88fbded
SHA1bfbf17fe274a66345e11939394de661c8a27e68e
SHA256c24a4c63847f53bb22e09d76b8218eff9ec0185a691c475597ed2ffad6636496
SHA5123574e2aeebae1c0bf68cca0425a878d22ebc5ab64ad39150b10f8c5718979523af53694950f6e56fb10ee22f439b11191e701138471d7fc23b20ba2c73ba4e4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bde1.TMPFilesize
1KB
MD57dc9a0968a669373e425e3e9514400f7
SHA13a00b471408aacd2136f7cf2131b760825ce505f
SHA256d0d20dbe204dc9864cbbd39cd507d54ef4187a07548404723e62725699e14332
SHA512cf53eee5c5b92373c3c42e220f4e118deed8f3cefc38f84e544725f3dfe39d5c349076a2ad4c66dfcf7ddf090a660dc3ab0a56c1907123df609abd40d4fd78f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a6622fc6c7f64ef80eb40a56ebfcfe9f
SHA125d5ec02416324f480ca559e53364a23973e8a9f
SHA256d096db987e93bae25d3f4e3e6492c7cd66f88da9519f4548382bce4383331e22
SHA5123f43b954fa9e0ad7926d77af0cf150faa787ee451dc9f83369b8d0a742035a76d8e68e3731b89b7259a2f989b8a72a7bae1350744e8dba11ccd81c66f4a13983
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5ad74a7ff4dc49f0980c32cbacfff20b4
SHA1d8caaff4e02c37a994699f96e6dcbc56318e4c5a
SHA2568c016a204fbd9bf4ea5c949977db264c735ba57ab6ff5130bed6208201db5a77
SHA51261d9a9062d3e6f45c077ae679b2662fddacdf9684383711e8d21e3ea6760a409a241d675f2f08b5ef899122e146b0a6757643d59a99fcf8e0c9633cae9e6c66e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5f3d87af027d9b1eb891660da52ae9a5a
SHA1d7b3668e19fb9686a3f105d2c590b4ad25394309
SHA256a06aee53c63997a1c27954d3404c84dba9a16e56e94dfe0f7aaaeec3081edc22
SHA512f8eea380486492dea893fee11f5d8448d28687b7a193af2d0f36f4c29da8f9049869878979885eda955ab3cad209ad8c4bc93b78536927b131ff4b9ebff59016
-
C:\Users\Admin\AppData\Local\Temp\536F.tmp\5370.tmp\5371.batFilesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exeFilesize
89KB
MD5f5ceea2cbd6adc5adba5b2f9b51cde98
SHA10f80e3a51de742f44b9d5b135993a044cb0d81a2
SHA2568adc603d38b065f646425036cdab2839cecfd0a2b81b63e5de74fdd9fc08d6b2
SHA5120f1e5ac73217eeff2e2573417a31be326b754c16bab0f2433bca16c47a7ad17c7fa84210bfba8514d98c1a497dd8e3cf7caa20107b2dfd08ca26f1ea8a10de78
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pq7dB96.exeFilesize
1.4MB
MD5071777dfada2f20e16651b0ff100714c
SHA1f90f462d194d8e7482a4423f8ed0b6026049a7f1
SHA256b27cbc48117a4f027ff89bccdc669c26b8cfbfcbea40722dd52cd4843c09a85f
SHA512225c9e9c488c44f28375de4ceeea8e1a347128189485010a3af727b3cd4ff7d460481e4df49058c4a386a495d970d270866abdaa7137ab43f330d64923384ef3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Cb1kI8.exeFilesize
182KB
MD555bb07554d27cc9689262cf9819124ac
SHA1fbc5a8d82ff47737f5af5cb5eb3e7594aa038f67
SHA256aa80c263a1dd96a07338d188a68768fe8c42c297264ea37278a16ec16d3cd024
SHA51230480c4148efa65c567727413a0ec1dfdb41c27fa7ba806976f40a012302532097d3c6526890c3d945bf720fcb392bfe3ddd1c9843a94e64f51c0ff77d4b2644
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR2Rl96.exeFilesize
1.2MB
MD5f408e8d21d87a5d54e2022dcd1aa228a
SHA1cae4692a06e24b457510284979f5837514ac38b8
SHA2569b011fadf3d4cf9b53444a5633b6a317de32f3acc09de983fcdfdabd406f8a45
SHA51204c73cb563c6e60e31a12a409b8e18463be9274152fdd5d56ba15ff6564f3f98e5ff9423e8afe49f0a17c6df1ac292e32e95f14d2542d65c64308c2b986ad154
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hB2my7.exeFilesize
219KB
MD5cd22eb547f52afc581394bba3b7bfa11
SHA105dc362b4a22708860df91684cab4366bd5f5554
SHA2567ac7e38465298288a648132204e82e036fad95419dd75014f523101e992ad7ed
SHA5125815e6bd786e5d43412bb183c50f218b0fcf9c00954e6de5423c5542ce08e87517a4e8eea5152aa8f50e6cf1f5d776e2a746a64c57b9a4f8abc033fd3e7bf32b
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gt7ug08.exeFilesize
1.0MB
MD51b524f10a16979e1292c695e7cac953b
SHA1b5f0492b4fd81d3661708102bc25e217e1702454
SHA2563391148c7582a830b4c165392bcff7255a723ff67a6de9eae6ef104a0971b53c
SHA512b3a9ee55085d44f3e7b91f83d42690c8e394a55e5f0c0f323a75253894624871e90cddaa8a8ab5a6e9bd7ae6c476827e0e2a62f6a690acc1980eb9cb17d32f22
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bZ649qI.exeFilesize
1.1MB
MD5847c0307fa4b3dcb68296b2624fc0150
SHA143a1309eeb2d0bdc0818a8bb081c92a99f9d1ac4
SHA25616ac90a295acb8152d8c5c34982048307c348b91466d71c27225befad9ab1908
SHA5120744f7b3199ccc3bcf97a4b00aa8bec97adc1e6fae4b3569278eeefb60b6dea91effc79bb0f10e92747763bfd7ecbe2fce1e757c4f20221dfb02279ecc10ab67
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OY0fx68.exeFilesize
654KB
MD56bf1ef97fb912648145ba8485d0034aa
SHA1ebe81236c38c87b10c18ac8294858b0dd5c723bd
SHA2563a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76
SHA51233fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Mj79rp.exeFilesize
30KB
MD5215e3a9d31f716e9fa83930c20b0447b
SHA1eedb95d8509fd44874d0edd450afc719b179bb91
SHA256d3d4a9677a53e4a96c61e7db4859048dca12af579a174e69df3088d6efa0562d
SHA512f39ea66bf720fb573a7a45878d4bd255e66f3709c54f2a00877425072d1b16eca69cda79cabd95705a88b54fd6676e78d39de914470b2569707639681657c92d
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dY4qN56.exeFilesize
530KB
MD5e63ba8400f262a064a03ad903da92ea1
SHA1ee6722892cf70e631549afe07ef6566b85f5f92e
SHA256b85d1c3b8f669d663ed41d0075485df944d5e0fbacb12b285b30862afd9934f4
SHA512d831ba8fb671364601219947f67214321e4ab6e1bd5362446a90e0455e3095ad9f0d721338d4dbea284c53a51d469a6d575f162d0d36caa3493d69f730004dd5
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gb93pY5.exeFilesize
883KB
MD5e710131b72c78af653d8d53004137b86
SHA1e2130960a1e26da27507be5fdcf680ecb646914b
SHA256b0b161892bf942f12c413d1c9677688ea67d9e131236ab707726b0ce1b504f33
SHA512be99c3428847c92d735ffa581f9ec311f061285008b728e23dbe692ca3345e1ffedaea19ae55337b65664bfcb665ebe798f21a5c6d8c2bdcce4449b205eeabff
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kz6190.exeFilesize
1.1MB
MD5464cce29c9abcbab188937169d186a28
SHA16a2e7d87d074c17b945396562f140dc3582f41ee
SHA25622401410ce1fa30f7c3526c4e579f092c7b0d96205766eb7d69a34de62e7e2b6
SHA512fe18c91339bad1b6664a878fc73f35880d6ac765acc3f3390312751f1ece5c6aef87293c30af880e456827dd78fff42b345a078c2b9a677697bcde79f5bea98e
-
\??\pipe\LOCAL\crashpad_1888_TVDUFLVMALWUGZJSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/228-81-0x0000000007BA0000-0x0000000007BB2000-memory.dmpFilesize
72KB
-
memory/228-64-0x0000000007F60000-0x0000000008504000-memory.dmpFilesize
5.6MB
-
memory/228-83-0x0000000007C30000-0x0000000007C6C000-memory.dmpFilesize
240KB
-
memory/228-80-0x0000000008510000-0x000000000861A000-memory.dmpFilesize
1.0MB
-
memory/228-79-0x0000000008B30000-0x0000000009148000-memory.dmpFilesize
6.1MB
-
memory/228-73-0x0000000002EE0000-0x0000000002EEA000-memory.dmpFilesize
40KB
-
memory/228-65-0x0000000007AB0000-0x0000000007B42000-memory.dmpFilesize
584KB
-
memory/228-85-0x0000000007BD0000-0x0000000007C1C000-memory.dmpFilesize
304KB
-
memory/228-58-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2912-46-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2912-47-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2912-49-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3156-54-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3156-53-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4256-42-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB