Overview

overview

10

Static

static

3

00dd845a27...d6.exe

windows10-2004-x64

10

0e4f6fa259...f8.exe

windows10-2004-x64

10

160cf91bb4...9b.exe

windows10-2004-x64

10

2469003f42...fb.exe

windows10-2004-x64

10

37d87e8c1a...0c.exe

windows10-2004-x64

10

4c3f025b17...a7.exe

windows10-2004-x64

10

4de214f155...f2.exe

windows10-2004-x64

10

4fe5ee134e...25.exe

windows10-2004-x64

10

5bc4a6b3d5...f6.exe

windows10-2004-x64

10

62325240aa...fc.exe

windows10-2004-x64

10

77ac4e5ef8...53.exe

windows10-2004-x64

10

78a2f3c49d...66.exe

windows10-2004-x64

10

7c1372b4b0...fc.exe

windows10-2004-x64

10

7cd3eb4cd6...0e.exe

windows10-2004-x64

10

7dee432d6d...a7.exe

windows10-2004-x64

10

a277894fe9...7d.exe

windows10-2004-x64

10

cd0d56c5ce...15.exe

windows10-2004-x64

10

d304eb3331...e2.exe

windows10-2004-x64

10

d3dd28146b...8b.exe

windows10-2004-x64

10

ece19c5d5c...54.exe

windows10-2004-x64

10

f9789caac1...5f.exe

windows7-x64

10

f9789caac1...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe

  • Size

    1.5MB

  • MD5

    ec417563dcc0b40dd4df530fab086b34

  • SHA1

    0fbbdc8e4d8d4f002bccaaeeaf45a4568a951e5d

  • SHA256

    ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854

  • SHA512

    384cd2c4f9e2d4e320522be0e2acf107706f601fb253ca88c2945b68d3acfe31fcb9311d64bda686b6bf397877825cef5a30dd3dcf7db4433470ed3e49cd0fbd

  • SSDEEP

    24576:RyE/0Wzk0wwhw5K+y9iSn5PJvsH4UDlKl3YxFhSmCBwRe0MrQUlzpn/U5:Ec0WLwsd0XH4UQoxF0mkwqrLlFn

Score
10/10
amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe
    "C:\Users\Admin\AppData\Local\Temp\ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3308
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:4020
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1740
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • Modifies Windows Defender Real-time Protection settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3256
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1304
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                    PID:2256
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    8⤵
                      PID:940
                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exe
                  6⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:2604
              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exe
                C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:5108
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  6⤵
                    PID:2080
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    6⤵
                      PID:512
                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exe
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3240
                  • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:2700
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
                      6⤵
                      • Creates scheduled task(s)
                      PID:1388
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                      6⤵
                        PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          7⤵
                            PID:2900
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "explothe.exe" /P "Admin:N"
                            7⤵
                              PID:4696
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "explothe.exe" /P "Admin:R" /E
                              7⤵
                                PID:2928
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                7⤵
                                  PID:4788
                                • C:\Windows\SysWOW64\cacls.exe
                                  CACLS "..\fefffe8cea" /P "Admin:N"
                                  7⤵
                                    PID:4832
                                  • C:\Windows\SysWOW64\cacls.exe
                                    CACLS "..\fefffe8cea" /P "Admin:R" /E
                                    7⤵
                                      PID:4944
                            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exe
                              C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exe
                              3⤵
                              • Executes dropped EXE
                              PID:216
                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe
                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe
                            2⤵
                            • Executes dropped EXE
                            PID:1664
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A5.tmp\3A6.tmp\3A7.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe"
                              3⤵
                                PID:4700
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                  4⤵
                                    PID:4428
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
                                    4⤵
                                      PID:4072
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                      4⤵
                                        PID:2852
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
                                        4⤵
                                          PID:3992
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
                                          4⤵
                                            PID:1260
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
                                            4⤵
                                              PID:3304
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
                                              4⤵
                                                PID:708
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
                                                4⤵
                                                  PID:4804
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
                                                  4⤵
                                                    PID:216
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                    4⤵
                                                      PID:4316
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3812,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
                                                1⤵
                                                  PID:3532
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4404,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:1
                                                  1⤵
                                                    PID:5068
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5016,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:1
                                                    1⤵
                                                      PID:208
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5412,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
                                                      1⤵
                                                        PID:4560
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5440,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
                                                        1⤵
                                                          PID:4540
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5500,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:1
                                                          1⤵
                                                            PID:3960
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6028,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1
                                                            1⤵
                                                              PID:1076
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6200,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:1
                                                              1⤵
                                                                PID:652
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6224,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:1
                                                                1⤵
                                                                  PID:2140
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6560,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:1
                                                                  1⤵
                                                                    PID:2960
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6744,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:1
                                                                    1⤵
                                                                      PID:2580
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6872,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:1
                                                                      1⤵
                                                                        PID:4968
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7032,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:1
                                                                        1⤵
                                                                          PID:1488
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7080,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7176 /prefetch:1
                                                                          1⤵
                                                                            PID:1104
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7220,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:1
                                                                            1⤵
                                                                              PID:4900
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7532,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7512 /prefetch:1
                                                                              1⤵
                                                                                PID:1696
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=7800,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7828 /prefetch:8
                                                                                1⤵
                                                                                  PID:2928
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7812,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:8
                                                                                  1⤵
                                                                                  • Modifies registry class
                                                                                  PID:4316
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7336,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=8036 /prefetch:8
                                                                                  1⤵
                                                                                    PID:3616
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7816,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=8216 /prefetch:8
                                                                                    1⤵
                                                                                      PID:5364
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8384,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=8400 /prefetch:1
                                                                                      1⤵
                                                                                        PID:5428
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8544,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=8248 /prefetch:1
                                                                                        1⤵
                                                                                          PID:5492
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8848,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=8852 /prefetch:1
                                                                                          1⤵
                                                                                            PID:5732
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=4176,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1876 /prefetch:1
                                                                                            1⤵
                                                                                              PID:5888
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=8228,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=7560 /prefetch:1
                                                                                              1⤵
                                                                                                PID:5184
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5908,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
                                                                                                1⤵
                                                                                                  PID:6584
                                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                                                  1⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:6796
                                                                                                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
                                                                                                  1⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:1988

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Users\Admin\AppData\Local\Temp\3A5.tmp\3A6.tmp\3A7.bat
                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  7b647e6e2fe8ece9cc38d86ab95c31fb

                                                                                                  SHA1

                                                                                                  7d6b6e3db6b992cdfd914a4ab6743069ef3ee695

                                                                                                  SHA256

                                                                                                  b6f37b77b69495d6aca9afa3f6339b64e47ac518ee35211cb287bb112ad1b5a1

                                                                                                  SHA512

                                                                                                  bb920ac8a783ebbdc595038695ac3f3f656e9c41ed05ef8e671d2fdc93ce2a015529d7c2aac2d7149a8a6fb1903f3cf90bda8dbc30876ec8248b031cceeef46a

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7na2Uy56.exe
                                                                                                  Filesize

                                                                                                  91KB

                                                                                                  MD5

                                                                                                  4113c408f72e2fbd023e982f7e4e8a07

                                                                                                  SHA1

                                                                                                  aad658f363ab2c15926b24d0ba8f742920cc31ca

                                                                                                  SHA256

                                                                                                  af80c460b2a26d36ee1f94155f2757984eed395c3cac0154df5013b3ab9acde0

                                                                                                  SHA512

                                                                                                  102357cbbc6c163c9203fc5a6a71d187955e2f1f62cf92ec3ca985c4b20daed22cd4c920ac82a0fc54a6cea0a7cd2e466a6fb256dfb75c470cd4ce8b34eff9fa

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV6zM85.exe
                                                                                                  Filesize

                                                                                                  1.4MB

                                                                                                  MD5

                                                                                                  d1b4083ba7f44549ff19bbcbd152e3e1

                                                                                                  SHA1

                                                                                                  bc3a68cf865615cdf14287c79283f851e24dd4fe

                                                                                                  SHA256

                                                                                                  5c8aae534cb374e9477759636df98feca4f8eb2376358496f41d8c998a0c656f

                                                                                                  SHA512

                                                                                                  ed27cd4a77f4792bbb32ca0610249e2c503bfa3f2f67229745a6c37325de43f749c683b72885d2934352f02471c2a76c6461a316e1a66c46da9a8589eee6c0ca

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6RE3rI1.exe
                                                                                                  Filesize

                                                                                                  183KB

                                                                                                  MD5

                                                                                                  f9305f6b1a2f0f6c319fadbb5d9927ed

                                                                                                  SHA1

                                                                                                  13def4d1df371f48259533a2614b02a7b7bd0bd3

                                                                                                  SHA256

                                                                                                  7bfed7d2382a5834494fa016ccd9c430a5973d7e4dcafacfe30176d573426a44

                                                                                                  SHA512

                                                                                                  bff592a01994066ef701cd6db525b794641ad9ed129633a764c65a7b450a35a01189eb7a9ab0137f923c7fc14f6db4cbcf2c2e681225b35d071f9a3235bd6f26

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uX9FR06.exe
                                                                                                  Filesize

                                                                                                  1.2MB

                                                                                                  MD5

                                                                                                  ab04b923caf6c095069a2ef43ac66ad4

                                                                                                  SHA1

                                                                                                  41c25c158eb420327877b01ff0f173876fa32a0b

                                                                                                  SHA256

                                                                                                  88aa107f4c0a1753c703e6033dc8f63bced2150418d138d2b58639059105073a

                                                                                                  SHA512

                                                                                                  7f9762b754d700ee44fb539123850f97a4d949928aca415d48bcabd7f9a2643043dca11173aa361c4222e6cfdea288af0e4601bae4f76710c153927580838241

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5uI6IV7.exe
                                                                                                  Filesize

                                                                                                  220KB

                                                                                                  MD5

                                                                                                  49935153ec8a752368b2b1fb59170836

                                                                                                  SHA1

                                                                                                  400b84585426d9322e14888ca9977057eaadd1ee

                                                                                                  SHA256

                                                                                                  c02db64b860881efcd9d36beef4007d5b0c3f57dafb9146a8f823f04f73642f8

                                                                                                  SHA512

                                                                                                  d1e2e2d01883f2cfa05a7167e69dfefbf5931010e19ca76edbb766652f4531df21ca9452333e2421cea269bffee513b793a3dce3768e622b45754d100bf5e8b9

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iG4hJ97.exe
                                                                                                  Filesize

                                                                                                  1.0MB

                                                                                                  MD5

                                                                                                  314575580c4f1dbb978c74b1860e7313

                                                                                                  SHA1

                                                                                                  6c51733ec6789baebe7c2445e7f15c747e99081b

                                                                                                  SHA256

                                                                                                  22565082124ac05630004fac40655e814fc96c627fd1c8064f3a8323f8bb591f

                                                                                                  SHA512

                                                                                                  918c35ce82606253257a7ae392977a75f5f99e3891d62fc6080d0aafaafb315fcf7d2f20070e695563f1c2a80d8bf5c3bc8c2542f197d69c594e48ae7c6688ad

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4nj065Ki.exe
                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  MD5

                                                                                                  f56d91ab910d7811cd732255e6ec913c

                                                                                                  SHA1

                                                                                                  a1ff30007ca1de894c74d6c5cb381d56e7795c19

                                                                                                  SHA256

                                                                                                  c633cd3ea3e776bd89800635127767c3c6f134c5f473250f08f45d4d07a79f40

                                                                                                  SHA512

                                                                                                  de161642efadeacbfc64c4df1b962c2366ae01e8b4d63c45d57d4d7e03a2a14a968a654ccfd97e799924f9116f97bb28fefa377df7bc21db81f75e9a665ff928

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wr3eo20.exe
                                                                                                  Filesize

                                                                                                  647KB

                                                                                                  MD5

                                                                                                  e44fc24d22938b8199d799082d39955d

                                                                                                  SHA1

                                                                                                  e836ddc40a8ea98a1c1c88fe1a940b7525a0c1bf

                                                                                                  SHA256

                                                                                                  73ff547bd4669fef4555000c2fecec61bd87fa1afc19be25432b60dba65a9e1a

                                                                                                  SHA512

                                                                                                  ee71d8597fa5b3c14e3baea9d8aa47dc0d69d8402b9a9789dacf4d4856c04dea9f8e0888653da3379ddc27fe8708387f6da1cd2d1f3db9c7e55007266ee9cd73

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3mc64KK.exe
                                                                                                  Filesize

                                                                                                  30KB

                                                                                                  MD5

                                                                                                  0de160f08d46e9cf071ed010da76f8f0

                                                                                                  SHA1

                                                                                                  a4a784a5bba15283c847a9454cd5ca508c6fe7ed

                                                                                                  SHA256

                                                                                                  10e4992233ab7f9576e143345c16e9bae5e0d9649272c450c20637d1bc221c81

                                                                                                  SHA512

                                                                                                  b66411f2b6728391d94e6ad682c2478ed4a602035a15c5640f7d1d6448385a9ac3b2e2179894ff16ec4e95fc244e49da7f06845db4db074df36fd64e7e7ef50b

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\uN9PI06.exe
                                                                                                  Filesize

                                                                                                  523KB

                                                                                                  MD5

                                                                                                  f7ee99a25df20794aa92ad4f772bb624

                                                                                                  SHA1

                                                                                                  cbe21eb6114e2f75e488f138ea5a0fe17aa0bc17

                                                                                                  SHA256

                                                                                                  ea9077fc083a16b41338afe600d4721090ca50df7a3928e5263770add2991de2

                                                                                                  SHA512

                                                                                                  800b3fb31e83617b77c0600144e386a34a32f328b29a646af2e23b17f42fe6bd3e1a342502e6d8fbebc7cf82493a719deb93c220218ba418e96f643d1cc04120

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rh07DL5.exe
                                                                                                  Filesize

                                                                                                  878KB

                                                                                                  MD5

                                                                                                  21b4cfa79fd054ab08987b3b3102fe4e

                                                                                                  SHA1

                                                                                                  7a57d99abd690e71d5d6e03b074beba25202b76a

                                                                                                  SHA256

                                                                                                  aab8bfb484fbf9ba06e46df9b9dee09971664890c22d84e489588ddc644cd766

                                                                                                  SHA512

                                                                                                  017d00a445fdecf30e36b3b32dbc44165e1f034cdc81f2de148155012a1dca0e44b4cbe86eb4535bd5aa389e9d32efedce7605979e82ac4c373ea0ae39f15555

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Wo8692.exe
                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  MD5

                                                                                                  0d551543a8d094994c3991297cb2ff75

                                                                                                  SHA1

                                                                                                  487c370e1fb83380e83a59e98c532777d4caf74c

                                                                                                  SHA256

                                                                                                  e609f088217132479f2b28ee6910669badedd4227cfeb508fe8ad282610804ba

                                                                                                  SHA512

                                                                                                  e2678db4856910eb5ccaaead906196d1257a8669da7a61b86dc6dcae19e33d4722fe4b1c709a10452202f21f95929707811efbb87c324968aeb25a7ca0554ae0

                                                                                                  Download Submit

                                                                                                • memory/512-82-0x0000000007D90000-0x0000000007E9A000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.0MB

                                                                                                  Download

                                                                                                • memory/512-76-0x0000000004F90000-0x0000000004F9A000-memory.dmp

                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  Download

                                                                                                • memory/512-58-0x0000000000400000-0x000000000043E000-memory.dmp

                                                                                                  Filesize

                                                                                                  248KB

                                                                                                  Download

                                                                                                • memory/512-86-0x0000000007C00000-0x0000000007C4C000-memory.dmp

                                                                                                  Filesize

                                                                                                  304KB

                                                                                                  Download

                                                                                                • memory/512-64-0x0000000007F00000-0x00000000084A4000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.6MB

                                                                                                  Download

                                                                                                • memory/512-65-0x00000000079F0000-0x0000000007A82000-memory.dmp

                                                                                                  Filesize

                                                                                                  584KB

                                                                                                  Download

                                                                                                • memory/512-85-0x0000000007BC0000-0x0000000007BFC000-memory.dmp

                                                                                                  Filesize

                                                                                                  240KB

                                                                                                  Download

                                                                                                • memory/512-83-0x00000000079C0000-0x00000000079D2000-memory.dmp

                                                                                                  Filesize

                                                                                                  72KB

                                                                                                  Download

                                                                                                • memory/512-80-0x0000000008AD0000-0x00000000090E8000-memory.dmp

                                                                                                  Filesize

                                                                                                  6.1MB

                                                                                                  Download

                                                                                                • memory/940-47-0x0000000000400000-0x0000000000434000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                  Download

                                                                                                • memory/940-46-0x0000000000400000-0x0000000000434000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                  Download

                                                                                                • memory/940-49-0x0000000000400000-0x0000000000434000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                  Download

                                                                                                • memory/2604-54-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                  Filesize

                                                                                                  36KB

                                                                                                  Download

                                                                                                • memory/2604-53-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                  Filesize

                                                                                                  36KB

                                                                                                  Download

                                                                                                • memory/3256-42-0x0000000000400000-0x000000000040A000-memory.dmp

                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  Download