Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 18:18
General
-
Target
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe
-
Size
1.6MB
-
MD5
8730beb5e0481f045236541cbf84b0a6
-
SHA1
8e44b7bd8462feb51c116ab72cf6bb460f2c5ee4
-
SHA256
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
-
SHA512
2da9d6a2bec2b33332ae4c0a5739cc5fd19a4c2f011bb28f3c69eed8ca654336c570526ffc7b2530637577dce49e98a54f3512069212acd0dd16a323242c8b40
-
SSDEEP
24576:GyWdCALxR5STmSCSGz9FUkJ4RNGAWei3u7A2Lj2zPYTf8tAjbg:VWdCAfISSq7TAQIA2Lj2jKIA
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe"C:\Users\Admin\AppData\Local\Temp\e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pq7dB96.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pq7dB96.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR2Rl96.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR2Rl96.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gt7ug08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gt7ug08.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OY0fx68.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OY0fx68.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dY4qN56.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dY4qN56.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gb93pY5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1gb93pY5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kz6190.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Kz6190.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Mj79rp.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Mj79rp.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bZ649qI.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bZ649qI.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hB2my7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5hB2my7.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Cb1kI8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Cb1kI8.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5D52.tmp\5D53.tmp\5D54.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IX6NE50.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3dfd46f8,0x7ffd3dfd4708,0x7ffd3dfd47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5500 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12789800713705310874,11994073645411222563,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4556 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd3dfd46f8,0x7ffd3dfd4708,0x7ffd3dfd47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12675135145151108547,6538685801021092764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12675135145151108547,6538685801021092764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd3dfd46f8,0x7ffd3dfd4708,0x7ffd3dfd47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,8836720839158921619,6399852506786152095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
1KB
MD5f768bfdadfea273c3572be3e4bb46728
SHA182b44dd98ca329f22ebc19fc0302e72410d4fdf2
SHA25685e9162e118f134524fc95faf94db7d7e19574fe3ac6823c7aeaad0534a2dd89
SHA51210534e8830356abb3009b42199dc2cf99f86c7c36d4b5de0f34071782565a096fdd2608ad3fb471e54d55e1e3d0dfac6349ac4e76d597c71be9ab98180d53852
-
Filesize
2KB
MD5e1ab84ab8d8535ff8e0a4cfdebec873d
SHA17ae0a27d7ee80d7b6f891a7d57c07c914336b562
SHA256d75d10e7e973a6dd3c24d72ff746aee072160b98d81c1fa3455153c58653c156
SHA512d88ed8fe9324c4d19b7d99d5d8bf0a1299e954f124f7e596f75769e5cebf3f067aff290f075538cd9f08a4ec14a04f9ba7f27ee20e11fa7f50a0ac9c6af5c8fa
-
Filesize
2KB
MD5a86b17ea52a8ccb8d08a020e05adb9d3
SHA1e82b5e7305b7b224d5649bfddd7454d738f57236
SHA256f33aedf4257a223744cfc83eaf8832cb95988cd0bb97cb19a9dcdbe3ff5732e6
SHA5122ea6c3dfc31180b21669f26bc27b153c729ba9f22df256d5f5b9902287b5f3bbeade56780c6f015e03728e119eb085d702fead8c35fa365882cde68826a4c61e
-
Filesize
7KB
MD5be8d129502e4794659fa11d8fd7d0f59
SHA146ba1dd793c3fbe8de0ee2be91a1015134b54e46
SHA2564f07e2e9a6d59570f9950242f32af34f1ad7432cd14fe550f12f09d350f2cd64
SHA51217cc4905346fcee0175cffa11f9788bdedd5dc8112d27eded1dc9c92406e208867527aa82086a2587d604b4fdb039b80058ef1a110f3e97fa096a2e98b61cb50
-
Filesize
89B
MD5c8ed72eb9bea00e07bf7bbf8bd56bc61
SHA14eeeee0f48f5bed4ee92912bf37ae0fe6892960f
SHA25669d3ed26e59b1a60c41cdd06df97f83ff28065b470ed3c2b2d7e97a70e2a58a7
SHA5122f7fe2bcf0f4f4ccbc2982ab8ef3024b4a47678b5852693258d0d355413c1a6b474efcfc1406c99a8e7d8e3bd1937dcd11041ca4c6a587431145acf537b7f548
-
Filesize
146B
MD5cd7bbdc013b5034e905b29a318cfc12f
SHA13e5ea1765197d1e4ae256452eb2a106781396725
SHA2560adfacf63f9c4a218504dc2e8ee4f01b3fb49ef0b7b83c8112f894dcb4e28985
SHA512488aa7db85d0e72683e4311b35d153b929ab428d9e047039265b4751180bedf94fa55e34f921fa84ba67419441543e82b009ea3d7ce4f651ba09e79950f50cad
-
Filesize
82B
MD59115521a26a42e6549fec00104b98372
SHA1058911aa83f5a329e8aecd68d844e7a7b04f2b64
SHA256799464f18f77142ad21fcdb5e470fe256ceb6829e459261e9f7e1d2ad043b1a2
SHA512a3f5e90f5fd13f77fc2f8cb46bbd4c4aa543cbc2eda630e5951c0281466844e5496a17da0d3ea828f0d15e368ee0e784e5920dff904cade3f2dff18b7176bd55
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD5a3adc9ddd9c771e27492c905cf049352
SHA1f9fd7e5ee5b68f4b4fd571e1df0fc72e5ce6fab6
SHA2565fee3c56ea0f4e99e2527079680b65155c5893574cee4505c22743a13cb209eb
SHA5127ec63df4848768a0c5e590d7c46349a15f09c8af390e187f974b039662280e5070679e533de56a4148c6d77958a812066f208ebbf23913613b0987169bdf8901
-
Filesize
48B
MD50fd2cb8b88ef5045c36d837f2f0c47bd
SHA163e7e98c6968ac6d9e592ed6afc75f74b48eb73a
SHA256ec5e1f3846705a32ff6c41ceda347bd70364eed2897c3fe2b07323aa4824a46e
SHA512fc2cdb4af75018b556fd3561f7c7c98300ab909045f3f329538057c51c1c9794c1d66f7ced72398a6703f61736b0b1beaf3bd2c765bcfde4daa9d3e15a8b86db
-
Filesize
1KB
MD5adf76eaf7223f8ac6d5bb3743988d65f
SHA129803d867539b507132991503adadece0fb551d6
SHA25628f5e11a0ccbea5133eb295d039f45a6725cecba98e02b694c0198ff11ca047c
SHA512b509300d9f6aa279787796453655f744d1191c1b8bca8a37c77ed5f6dafdad6e2835543131cdc426975f3e0dfd5dd30cd759aa22ac6a95199e62c1c06ec74cfb
-
Filesize
1KB
MD51c2c176534b9ab0e180d4c4e94348208
SHA12cd796071005d01649fc19b10a73cef77f363119
SHA25617a5224b5bfbabd9782eb021ad0845b10578c707a1737bdec1dae0e189fa1b45
SHA512d876b57f7b850ad3514bc3012f9885a7360155d24eb19c6a424007e1b6c32e531a0bdb847b791d4d5bad3dff207ed76d4649d9aa685327688a607e4b1753fb01
-
Filesize
1KB
MD5de629fc11b04f9fa3f979019b13b40cb
SHA10b6a4ef2b3ddc47b76e73249a1a50af7853ec286
SHA256576b2c0d85ab6c14e66cf2581469cbf905236562a3e23c8218d06c6336d6f831
SHA512399ea4295e32b35cb08b5a5101e89ce687b78881908a0dd5ca0daa2acaa3662d16fb30915ea52f8ddfbcb77d6b7aeaad2deac4c2b28cf3c36669ba432380a013
-
Filesize
1KB
MD51b2e3444441344f7351625b6bc87ac7c
SHA1728a2e4f7530501780a3c435e5c99b9e14940164
SHA256f7c01005cdf28228e34698a82cf7faad29a122455b8b62bff5ddaf3cd629bc04
SHA512dbe742d42511cdc332064dab5feff08b283eac9b8d0cf6d6034389c171dd6509ea9d0d4a9e2afec216131cd8f56851680cd2b58e6a71dfb43f8a4d99ec5e9ca9
-
Filesize
1KB
MD5b6c5020a77db871597e05f41bea41b2b
SHA10211774691972fa4cb8ffa08254bb76c65ed0feb
SHA25618c15fb45b28414c04b9ca354a5ecca6043baffe06b5b4d262a78e0d5c986446
SHA5128adb8ffe11a039c811a75db8815ed8bb2bd6eb9d8202a402b799415e3ce693e5399abdfdb41bee249b35198558671136181d330b00c6ddec089154a531756e2a
-
Filesize
5KB
MD55df1cadb3e1516f35550c8349274e89d
SHA130fbe639143ec2ea3d0cbf2c085080e7b3234ed5
SHA256bd6282e3ec30b6e58b1da3f56841cbbfcad71f138e79b5087f08a7fa8ba9bcb4
SHA51201f7d16f28b8a599b007d7a8544c893fea5e0f1b0e9a101461d93ec6eae694bbc9256ad71118ad5d17936344baf6df35ce56be326f1c997edf3cf3035d882e11
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5d692d50fe44b2c18adf85843a1863875
SHA1fd4ca5007edb01baceb80445587495ba5d4e0d7b
SHA256b2a31768fe45d4561562a8c1faad432486d14f8c1c255c5044c2adfc8224975d
SHA512274f4dd5eb5fad70376aa09a63b5687fdb95d646585bfdc9082afd205df471b493f3bd272bb95cd053f1400f213f11074eca2d7d690dd2309cc37d6445690f1e
-
Filesize
8KB
MD53edc7fc0d29bc4d22ce0ab2a8cd83f01
SHA113927b3bf297ed40798e1c0b949d8fd2ebb9cb33
SHA256083a381d08b4d98907bd94bc1df49f1447a35fa919f598932d3d7a73c77068dd
SHA51292e4898aad63fc591757c40ec256b6190d8df4c1253d39d3d43e98d9b051f1b27b53e56294319c1ae6ec70db1db068af0fbd778066d081777fe7ad7eb12183e1
-
Filesize
11KB
MD500199f6ecb3d1e7860ffcef09a0ed5a3
SHA1f6bbcf32ef9de530444a4ec1096a5a3517e03863
SHA256365e050e27b1b1ed3398fe1b853406aa70e9b164660e5d1189d701b6d32bea3d
SHA51233fb531497e5d4c69a64d72fa89de5bd4d3745f74167b319135925441a1b709b1ff8deeb6b202dc2770ea21406d64458b05056f792612fe595d7ca433ccfd1be
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
89KB
MD5f5ceea2cbd6adc5adba5b2f9b51cde98
SHA10f80e3a51de742f44b9d5b135993a044cb0d81a2
SHA2568adc603d38b065f646425036cdab2839cecfd0a2b81b63e5de74fdd9fc08d6b2
SHA5120f1e5ac73217eeff2e2573417a31be326b754c16bab0f2433bca16c47a7ad17c7fa84210bfba8514d98c1a497dd8e3cf7caa20107b2dfd08ca26f1ea8a10de78
-
Filesize
1.4MB
MD5071777dfada2f20e16651b0ff100714c
SHA1f90f462d194d8e7482a4423f8ed0b6026049a7f1
SHA256b27cbc48117a4f027ff89bccdc669c26b8cfbfcbea40722dd52cd4843c09a85f
SHA512225c9e9c488c44f28375de4ceeea8e1a347128189485010a3af727b3cd4ff7d460481e4df49058c4a386a495d970d270866abdaa7137ab43f330d64923384ef3
-
Filesize
182KB
MD555bb07554d27cc9689262cf9819124ac
SHA1fbc5a8d82ff47737f5af5cb5eb3e7594aa038f67
SHA256aa80c263a1dd96a07338d188a68768fe8c42c297264ea37278a16ec16d3cd024
SHA51230480c4148efa65c567727413a0ec1dfdb41c27fa7ba806976f40a012302532097d3c6526890c3d945bf720fcb392bfe3ddd1c9843a94e64f51c0ff77d4b2644
-
Filesize
1.2MB
MD5f408e8d21d87a5d54e2022dcd1aa228a
SHA1cae4692a06e24b457510284979f5837514ac38b8
SHA2569b011fadf3d4cf9b53444a5633b6a317de32f3acc09de983fcdfdabd406f8a45
SHA51204c73cb563c6e60e31a12a409b8e18463be9274152fdd5d56ba15ff6564f3f98e5ff9423e8afe49f0a17c6df1ac292e32e95f14d2542d65c64308c2b986ad154
-
Filesize
219KB
MD5cd22eb547f52afc581394bba3b7bfa11
SHA105dc362b4a22708860df91684cab4366bd5f5554
SHA2567ac7e38465298288a648132204e82e036fad95419dd75014f523101e992ad7ed
SHA5125815e6bd786e5d43412bb183c50f218b0fcf9c00954e6de5423c5542ce08e87517a4e8eea5152aa8f50e6cf1f5d776e2a746a64c57b9a4f8abc033fd3e7bf32b
-
Filesize
1.0MB
MD51b524f10a16979e1292c695e7cac953b
SHA1b5f0492b4fd81d3661708102bc25e217e1702454
SHA2563391148c7582a830b4c165392bcff7255a723ff67a6de9eae6ef104a0971b53c
SHA512b3a9ee55085d44f3e7b91f83d42690c8e394a55e5f0c0f323a75253894624871e90cddaa8a8ab5a6e9bd7ae6c476827e0e2a62f6a690acc1980eb9cb17d32f22
-
Filesize
1.1MB
MD5847c0307fa4b3dcb68296b2624fc0150
SHA143a1309eeb2d0bdc0818a8bb081c92a99f9d1ac4
SHA25616ac90a295acb8152d8c5c34982048307c348b91466d71c27225befad9ab1908
SHA5120744f7b3199ccc3bcf97a4b00aa8bec97adc1e6fae4b3569278eeefb60b6dea91effc79bb0f10e92747763bfd7ecbe2fce1e757c4f20221dfb02279ecc10ab67
-
Filesize
654KB
MD56bf1ef97fb912648145ba8485d0034aa
SHA1ebe81236c38c87b10c18ac8294858b0dd5c723bd
SHA2563a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76
SHA51233fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13
-
Filesize
30KB
MD5215e3a9d31f716e9fa83930c20b0447b
SHA1eedb95d8509fd44874d0edd450afc719b179bb91
SHA256d3d4a9677a53e4a96c61e7db4859048dca12af579a174e69df3088d6efa0562d
SHA512f39ea66bf720fb573a7a45878d4bd255e66f3709c54f2a00877425072d1b16eca69cda79cabd95705a88b54fd6676e78d39de914470b2569707639681657c92d
-
Filesize
530KB
MD5e63ba8400f262a064a03ad903da92ea1
SHA1ee6722892cf70e631549afe07ef6566b85f5f92e
SHA256b85d1c3b8f669d663ed41d0075485df944d5e0fbacb12b285b30862afd9934f4
SHA512d831ba8fb671364601219947f67214321e4ab6e1bd5362446a90e0455e3095ad9f0d721338d4dbea284c53a51d469a6d575f162d0d36caa3493d69f730004dd5
-
Filesize
883KB
MD5e710131b72c78af653d8d53004137b86
SHA1e2130960a1e26da27507be5fdcf680ecb646914b
SHA256b0b161892bf942f12c413d1c9677688ea67d9e131236ab707726b0ce1b504f33
SHA512be99c3428847c92d735ffa581f9ec311f061285008b728e23dbe692ca3345e1ffedaea19ae55337b65664bfcb665ebe798f21a5c6d8c2bdcce4449b205eeabff
-
Filesize
1.1MB
MD5464cce29c9abcbab188937169d186a28
SHA16a2e7d87d074c17b945396562f140dc3582f41ee
SHA25622401410ce1fa30f7c3526c4e579f092c7b0d96205766eb7d69a34de62e7e2b6
SHA512fe18c91339bad1b6664a878fc73f35880d6ac765acc3f3390312751f1ece5c6aef87293c30af880e456827dd78fff42b345a078c2b9a677697bcde79f5bea98e
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
40KB