Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 18:50
General
-
Target
ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe
-
Size
1.5MB
-
MD5
ec417563dcc0b40dd4df530fab086b34
-
SHA1
0fbbdc8e4d8d4f002bccaaeeaf45a4568a951e5d
-
SHA256
ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854
-
SHA512
384cd2c4f9e2d4e320522be0e2acf107706f601fb253ca88c2945b68d3acfe31fcb9311d64bda686b6bf397877825cef5a30dd3dcf7db4433470ed3e49cd0fbd
-
SSDEEP
24576:RyE/0Wzk0wwhw5K+y9iSn5PJvsH4UDlKl3YxFhSmCBwRe0MrQUlzpn/U5:Ec0WLwsd0XH4UQoxF0mkwqrLlFn
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
grome
C2
77.91.124.86:19084
Extracted
Family
amadey
Version
3.89
Botnet
04d170
C2
http://77.91.124.1
Attributes
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe"C:\Users\Admin\AppData\Local\Temp\ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F0A9.tmp\F0AA.tmp\F0AB.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4208,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4312,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5280,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5432,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=1940,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5460,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6208,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6360,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5976,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6728,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7020,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7188,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7176 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7016,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7680,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7616,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=8016,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=8000 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8008,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7992 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7976,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=7692 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=8416,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=8388 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8564,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=8580 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7928,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=8700 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=9032,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=9056 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=8348,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:11⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5908,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F0A9.tmp\F0AA.tmp\F0AB.batFilesize
1KB
MD57b647e6e2fe8ece9cc38d86ab95c31fb
SHA17d6b6e3db6b992cdfd914a4ab6743069ef3ee695
SHA256b6f37b77b69495d6aca9afa3f6339b64e47ac518ee35211cb287bb112ad1b5a1
SHA512bb920ac8a783ebbdc595038695ac3f3f656e9c41ed05ef8e671d2fdc93ce2a015529d7c2aac2d7149a8a6fb1903f3cf90bda8dbc30876ec8248b031cceeef46a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exeFilesize
91KB
MD54113c408f72e2fbd023e982f7e4e8a07
SHA1aad658f363ab2c15926b24d0ba8f742920cc31ca
SHA256af80c460b2a26d36ee1f94155f2757984eed395c3cac0154df5013b3ab9acde0
SHA512102357cbbc6c163c9203fc5a6a71d187955e2f1f62cf92ec3ca985c4b20daed22cd4c920ac82a0fc54a6cea0a7cd2e466a6fb256dfb75c470cd4ce8b34eff9fa
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exeFilesize
1.4MB
MD5d1b4083ba7f44549ff19bbcbd152e3e1
SHA1bc3a68cf865615cdf14287c79283f851e24dd4fe
SHA2565c8aae534cb374e9477759636df98feca4f8eb2376358496f41d8c998a0c656f
SHA512ed27cd4a77f4792bbb32ca0610249e2c503bfa3f2f67229745a6c37325de43f749c683b72885d2934352f02471c2a76c6461a316e1a66c46da9a8589eee6c0ca
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exeFilesize
183KB
MD5f9305f6b1a2f0f6c319fadbb5d9927ed
SHA113def4d1df371f48259533a2614b02a7b7bd0bd3
SHA2567bfed7d2382a5834494fa016ccd9c430a5973d7e4dcafacfe30176d573426a44
SHA512bff592a01994066ef701cd6db525b794641ad9ed129633a764c65a7b450a35a01189eb7a9ab0137f923c7fc14f6db4cbcf2c2e681225b35d071f9a3235bd6f26
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exeFilesize
1.2MB
MD5ab04b923caf6c095069a2ef43ac66ad4
SHA141c25c158eb420327877b01ff0f173876fa32a0b
SHA25688aa107f4c0a1753c703e6033dc8f63bced2150418d138d2b58639059105073a
SHA5127f9762b754d700ee44fb539123850f97a4d949928aca415d48bcabd7f9a2643043dca11173aa361c4222e6cfdea288af0e4601bae4f76710c153927580838241
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exeFilesize
220KB
MD549935153ec8a752368b2b1fb59170836
SHA1400b84585426d9322e14888ca9977057eaadd1ee
SHA256c02db64b860881efcd9d36beef4007d5b0c3f57dafb9146a8f823f04f73642f8
SHA512d1e2e2d01883f2cfa05a7167e69dfefbf5931010e19ca76edbb766652f4531df21ca9452333e2421cea269bffee513b793a3dce3768e622b45754d100bf5e8b9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exeFilesize
1.0MB
MD5314575580c4f1dbb978c74b1860e7313
SHA16c51733ec6789baebe7c2445e7f15c747e99081b
SHA25622565082124ac05630004fac40655e814fc96c627fd1c8064f3a8323f8bb591f
SHA512918c35ce82606253257a7ae392977a75f5f99e3891d62fc6080d0aafaafb315fcf7d2f20070e695563f1c2a80d8bf5c3bc8c2542f197d69c594e48ae7c6688ad
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exeFilesize
1.1MB
MD5f56d91ab910d7811cd732255e6ec913c
SHA1a1ff30007ca1de894c74d6c5cb381d56e7795c19
SHA256c633cd3ea3e776bd89800635127767c3c6f134c5f473250f08f45d4d07a79f40
SHA512de161642efadeacbfc64c4df1b962c2366ae01e8b4d63c45d57d4d7e03a2a14a968a654ccfd97e799924f9116f97bb28fefa377df7bc21db81f75e9a665ff928
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exeFilesize
647KB
MD5e44fc24d22938b8199d799082d39955d
SHA1e836ddc40a8ea98a1c1c88fe1a940b7525a0c1bf
SHA25673ff547bd4669fef4555000c2fecec61bd87fa1afc19be25432b60dba65a9e1a
SHA512ee71d8597fa5b3c14e3baea9d8aa47dc0d69d8402b9a9789dacf4d4856c04dea9f8e0888653da3379ddc27fe8708387f6da1cd2d1f3db9c7e55007266ee9cd73
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exeFilesize
30KB
MD50de160f08d46e9cf071ed010da76f8f0
SHA1a4a784a5bba15283c847a9454cd5ca508c6fe7ed
SHA25610e4992233ab7f9576e143345c16e9bae5e0d9649272c450c20637d1bc221c81
SHA512b66411f2b6728391d94e6ad682c2478ed4a602035a15c5640f7d1d6448385a9ac3b2e2179894ff16ec4e95fc244e49da7f06845db4db074df36fd64e7e7ef50b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exeFilesize
523KB
MD5f7ee99a25df20794aa92ad4f772bb624
SHA1cbe21eb6114e2f75e488f138ea5a0fe17aa0bc17
SHA256ea9077fc083a16b41338afe600d4721090ca50df7a3928e5263770add2991de2
SHA512800b3fb31e83617b77c0600144e386a34a32f328b29a646af2e23b17f42fe6bd3e1a342502e6d8fbebc7cf82493a719deb93c220218ba418e96f643d1cc04120
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exeFilesize
878KB
MD521b4cfa79fd054ab08987b3b3102fe4e
SHA17a57d99abd690e71d5d6e03b074beba25202b76a
SHA256aab8bfb484fbf9ba06e46df9b9dee09971664890c22d84e489588ddc644cd766
SHA512017d00a445fdecf30e36b3b32dbc44165e1f034cdc81f2de148155012a1dca0e44b4cbe86eb4535bd5aa389e9d32efedce7605979e82ac4c373ea0ae39f15555
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exeFilesize
1.1MB
MD50d551543a8d094994c3991297cb2ff75
SHA1487c370e1fb83380e83a59e98c532777d4caf74c
SHA256e609f088217132479f2b28ee6910669badedd4227cfeb508fe8ad282610804ba
SHA512e2678db4856910eb5ccaaead906196d1257a8669da7a61b86dc6dcae19e33d4722fe4b1c709a10452202f21f95929707811efbb87c324968aeb25a7ca0554ae0
-
memory/1624-83-0x0000000007B90000-0x0000000007C9A000-memory.dmpFilesize
1.0MB
-
memory/1624-58-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1624-68-0x0000000007CD0000-0x0000000008274000-memory.dmpFilesize
5.6MB
-
memory/1624-71-0x0000000007800000-0x0000000007892000-memory.dmpFilesize
584KB
-
memory/1624-86-0x0000000007A80000-0x0000000007ACC000-memory.dmpFilesize
304KB
-
memory/1624-85-0x0000000007A10000-0x0000000007A4C000-memory.dmpFilesize
240KB
-
memory/1624-78-0x0000000004C90000-0x0000000004C9A000-memory.dmpFilesize
40KB
-
memory/1624-81-0x00000000088A0000-0x0000000008EB8000-memory.dmpFilesize
6.1MB
-
memory/1624-84-0x00000000079B0000-0x00000000079C2000-memory.dmpFilesize
72KB
-
memory/2268-53-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2268-54-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3008-46-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3008-49-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3008-47-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4908-42-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB