Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 10:02
General
-
Target
abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8.exe
-
Size
1.5MB
-
MD5
090c442ab1c3527cff4f2f6ecf5ff0ee
-
SHA1
b13d5874fdf1f09157903266f073595f3f963ed8
-
SHA256
abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8
-
SHA512
a8c7cb90924db8e02d9e318706b8de9473fd1d0d90cf5aa2b6bc7f010267d1d16a837bda18ca2be90fa4b615a928b8ad6ef81c7973e3e7919dc79b19709c2720
-
SSDEEP
24576:4yP5FFcI1Vh7epXc+McyzpMXAVF18geTZ/hoFM4ewM269QDTExGMsP71:/P58IJ4rMcMiXAVoIFMI/C+IxG
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8.exe"C:\Users\Admin\AppData\Local\Temp\abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX6dP53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX6dP53.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cq1Xz43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cq1Xz43.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NA6Be80.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NA6Be80.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fl1jt00.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fl1jt00.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wF7On07.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wF7On07.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rn41pE7.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rn41pE7.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xw3018.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xw3018.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SL66xc.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3SL66xc.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4qY375Ju.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4qY375Ju.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5nr8ig0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5nr8ig0.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dc0Yn1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Dc0Yn1.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VG1Km71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VG1Km71.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\64F4.tmp\64F5.tmp\64F6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7VG1Km71.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff9ea9846f8,0x7ff9ea984708,0x7ff9ea9847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2782210784438984067,922564153302615870,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x8c,0x16c,0x7ff9ea9846f8,0x7ff9ea984708,0x7ff9ea9847185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6229016996797731821,17764999435930953007,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6229016996797731821,17764999435930953007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9ea9846f8,0x7ff9ea984708,0x7ff9ea9847185⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
1KB
MD51208bf76cd696f6abfc19ddf586c5f16
SHA1f308362d0fc495235f05b11d240b9b20a0597f4d
SHA256990d42a363ca54c8e5c22bb49608d413dfa192fa475692e31b8f96228d4f15c5
SHA512463f52eb9597e1040de8c93af3ad53909fd5c7eb758f5961aee152d0df741563249396804cf9eccceb5ce1ddadbe539bb9d7366efd9296d42850f6f08ae0f07b
-
Filesize
2KB
MD52c7d4ed8f2f3ad717a99ddd175f0a928
SHA1e34d92e75b3bfb455a673daaaf12ef835eb91488
SHA25605fc0815a4ecff9a32dedf30bc1f954bbb8a29c81b0b080ea7015356dc1f334e
SHA5128312052bb5d6ebf392b6e752c79b1840214b100d839e35a9cc11ce70a5102f1e65311b458f24b4b7203636ecf84081b91698a6bf205631e9c098fc1db46d6110
-
Filesize
6KB
MD56431ec9fbde2e7022e8c9d6a39c884a7
SHA183cbb0381c1380eb0f0c9cca65fbdcdb5ad2beaf
SHA256d745381c8347ed139cd8dcde67f8f513606d9ab29bdd97563bab3884f73d3d3a
SHA5120ae9af822226b53c08980783c161f255811ee8e09922979c10148f5e99ff824289bfac9204291ec80724a0782486f856424e6a66449ba628e361d5e9a89a6d1b
-
Filesize
7KB
MD572fc149da026f530fda912399ccda009
SHA1e0e52b274a57dcfbd8258571f94d2b191f617a37
SHA256dcb30c6e71bf3689d4438fc9377c7a89f8cd4c188d0f9d407ae8698a18ac033a
SHA512efcf42fb54ec319612105c227ecc198f8f2c4a473e21c22269657bc10ec2b4aad2f934def43b491c84154f3722bba42e7c7af7af2fe05a2ff1ce80da3e83af24
-
Filesize
2KB
MD53e6a57ef193d2c37c376f0679089fb5c
SHA130b9fc65008b8a73858199ab1e86926d8d528b9b
SHA25693f0e2479188d8cad74aff4c253edd4e2c37ce1b498bc2eeb185da2178418362
SHA512eb4bfcf1dbbce4014218835a8074afdd2bb101b6227ef1d0b650508435a9f530be02c0ad1af88111034ad08ef8bab0ebed05473811f5c18ecc3d85c21491d9f6
-
Filesize
48B
MD54517ac876e6967af2ac9838506cdd361
SHA1cd1977a78417c8e1e0f28c0b50a8aba3a56997a2
SHA256ec154ce41c5728d8745e4865e2ca573128352609f56cd152556bf3f55a418c91
SHA51242a635337e6fc569d731404aaaa4d78ad4ce93a414db87e39177cf1e4ad6a4604602325816da5c9ffea0c509d55c028f8fd3403481a7d3bf04ba3277a8162015
-
Filesize
89B
MD57eb2895192bba8f104fe1b45a79b31f7
SHA1692b77a170c5f57761f0bccef2a7a9eb3507795e
SHA2561336f071b7ce3b8b4a9fb8a492cf7005c26443f4b418b8dc2499abfb829de1c0
SHA5127c72dbb3a7fa7a7dfd1c5b60fcf10c6ed135ea113a6f0932c2f9e7164a955362e6c0e758e7bdb3307776a76dc91cb4b924be6c90210a0bcbafeb0f7042125107
-
Filesize
146B
MD51814724380193f2b1a47be641b002494
SHA1ec1228c783cfe20140e327de5228cd58176f6d4f
SHA256a43174e19f2e709a7c797fab7eb5a7d0185cb4ca39fc71d8d159d3a1e192e8ed
SHA512ca496a721fe120fae7fdc2dd488f4bffd74d860752bf8ce24456ec4d83356bb9f64d026b085962af5c53030558d4acfe037628c6a68f707a58543c0fed361b36
-
Filesize
84B
MD575dfe08d0710d35ad456e206ab740051
SHA1b3612028109c557e747a8cfc851e814566652201
SHA2561d9874a3fc4bb46fbc7c8defc227079f3917f82a4ad1e7a88b5f7d6819550810
SHA5126e8e74d86796e2c1df15298612c46e8ca60e58700163b92b7d9401f4654e3f06caa6f57a98939bea9bbd1e8821f0935cc6217daea09cf68ae4fcc9fb09cf8bbd
-
Filesize
82B
MD521447fc89bce1c9d2b1935afc600da3b
SHA15798ae089e7d1dbb378ce4a49c1428c600d8bcd4
SHA256c56890271b78ff96a38a7c712a33da3ed538e40a0f300b5c91fe43d119e10cec
SHA512441e44cf01199d08d57bbc9d86c83d0799a7363823f0e9aa636cc1001846399041ebec1c0a89af7962e3ba1a806a4bde002820ac5fa1f3cc383babfe168a63f5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
72B
MD55a5561d1531460bf5c54e7cc748e0694
SHA139ad0c1932c38e6f826bc093a4ae7c8fad0bb124
SHA2562e69f7dae5285b4420fdde950b69e1181c4b4700c0bf03abe420b2f1dc5c4566
SHA512ce91318fc0cc13fac696a3037c17784cfaed13202aa8a2b9a25a3d68f35fef87f6412431d9071784d6e8b108d62f8db6c085d72cbbdc02ffcfb7cc0fa366cd30
-
Filesize
48B
MD5c1cd7611f946fff5e7cb0a89c744cc2e
SHA105ce153b20d116b441b7bef39ee44568b56c5b05
SHA2565539255c9066cfa1bb2be24a04612cfc2e40cc52fba88285785122fb26c60966
SHA5127355a761cf9fa25e33049bd8c3383db0421d3132bb8d663d98002f6d8228a2125e025749dd17552b8e960f98f17c27f7976f25cfed7f3531a4437784e9dfae37
-
Filesize
1KB
MD5ed40064e9727207212605857a655ea57
SHA153a26f41680b728839b6e1f8b42fa1bcd1070683
SHA256194b205d2ceb8e942867a8966fece072504138cd13bf107d0368310ec6e8eef3
SHA5120c2acf3397ae5083c41e9b1913862e334d3c99805efcac566f75c290af10f66d72e698fe9185fdc4ba15d8312be998f032279121b1b970197f3c8d808491151f
-
Filesize
1KB
MD5dfd91dff477083f89f6de5ecebf7afa7
SHA11c601e95221a34e1c45d3af3599fae20a58e1c3d
SHA256e9b2c17ba6071310c4c28b637d3e39e1583086692c6fba5663eaa99722b8b510
SHA512637e3dde4c7dc00ae937e1169039e4d5807f328eccf25fb35e94683771d98375313a1fc810c698518ac02f28c2dab6e5350ec1c5b88c463e3106f8e91eb383df
-
Filesize
1KB
MD56530b8fcf07f6eafa5e172c5ca5f40d0
SHA162b0514bcc140165e45202316b8e722b65c643b3
SHA2562a078e7bcf817d38534922464cfa2d2924920c2100bf5bd5794d6a53e4801686
SHA51235d10130af332d05a9c6155d87875a8d03241837c02790a8e8fbdec58284cb13969c0b35fa86ee7188e26bfee3f779d7e5d58f1d80ddd29ae5ee3d222cb0d400
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5acb2df82f70112db63171408fa71360f
SHA1755139d4d9f5da693599cc1bce42e0f8db8ec0e2
SHA256c438fc30b8e70cfa86062dcf5c82e4cd5a5d376eb1013bed0764891d01a746ae
SHA512719e9555f81e051003ec34c8e0fcaa0da73edf588135ec13832e4e449fd93ce68075186932ff9544820a6cc1aa5712f7c94831752342c9d6e129059967cc831b
-
Filesize
8KB
MD573b631c64ae9713f4daee52574afc98f
SHA10a20420f743b06549cf3cd7ef60f6047989d4d62
SHA25603f07e41335984316887e6b606525ad7589de37e6fc1255e501343203500ca4e
SHA512af43597ed219ce6bb23f4a6d3a9f3db6348a9624d6d285e6e6c26c0dc5cda737ded7c49c123f88eee718f6159aedae03ca4cdce2f1e5e17d3aee12e0df2bf91c
-
Filesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
Filesize
87KB
MD5733260e78efb91cb4fe09932746aeea3
SHA1870d06dc47e43dbba1c4031863cb957b296fbd42
SHA25625eea2eb8214a02eefb1e1b3353358f49421a80ba8a57e35da05a337eec63532
SHA5124d222d2e9f3ebfcc625e230dc3ce1cb635e887574a2caad6cb709f3069b9e57cf3ba7391cabf49b34142cd72b68e81138593e202635375610b1c7a0883d1ee60
-
Filesize
1.4MB
MD5cd2e5a6e3a0d0dfc225ca700b312d0ac
SHA1afac101dd49eb5ec7f9c9de38a8603b7b715c2b8
SHA2566b30e5c863ed130a00c56a885ff6315139fd1c4d79b53fe2b85bf56398b8c1db
SHA512ecb33797e4c6c7aa257312da4ff66ff6efded35a4c37fb2500b033ee97850124fca44a6afb4a1f759d592358f2b1dca7a8b9f70c7e57baed0ff4635ce60155a5
-
Filesize
182KB
MD567f359841d2b61bd08ba247d10c5f7ff
SHA12445162f42cd9ef77c50066f158ea68a4219defc
SHA256831dd4122cd5e38fc9e3cfe08493969a7973f1b252c09949a76d25e1dd720835
SHA512e9f3e57b0f25a0c9266c02e18dc264bdb3c96eb0c8dbacd3e82c20632bb84de8fa9189eea70484a99d2d565d432bd79c2e5dfce6c2aa86e37656b838a834ced4
-
Filesize
1.2MB
MD58d421c79a3341875caebb39bd9368933
SHA17c332b707c82a5841b73934a8377b22a22d66691
SHA2567598fd7347ff4f465f736f38770a14d99a4344cf01731d413f30a8aefc436520
SHA512c16ecd6a87d1719a71cec28ecd4db134f3bbfa946cd48f076127720086a7209dba631c17460110f5cfbf5ec4053699c9f49e242279ec614c0dc3014d38e7ac89
-
Filesize
219KB
MD5f80019aa9c1b51d98c4a0d25addaa5d1
SHA14dddcafb490dfe02401b954298dd51f97b3ed963
SHA25662fdd2756661ccc65b22f8f61896745a7e4c92d124fe479d63c4bb6169b2217a
SHA5123e3192d3ef19c2ff72c6e6ee741c7fe50204ca0f17c0b026237b1c48997861afbb03df047026649c543069ad7d3d3005dc6204fbe2ae619de0c12f2ccdf9741b
-
Filesize
1.0MB
MD5b5226222671d0eb38d115369f9e3b3fd
SHA15f56eb00b892573b681e52b92acbec685bb50457
SHA2565cf33624b3028fc58ad3113d2b2af02d5f0e28b5af86732c11c793d0815fe71d
SHA512b73acce899c7e188bf670a09c007a44cb91649f45c9b27fd816de9d74b255117d814c9ccbde8314a3971951d63745dfbf85cbf8d8506872f81a9dd699c08591d
-
Filesize
1.1MB
MD556a9bd5061f94cdf4cf7927c442fecc7
SHA182473894baae8421a8a5142494926a4fe67fe5f9
SHA256b45df4e5f20804c147c645d5904977853aa905531929e4546b152e50886c2f08
SHA512d0d0c8d7984c5abc174957e1e3d3b18610999a6b616cb0930b01c05ec607cde05f8b8cc6272af56ab6b29ae4e54889323e5bbbefbd995d359cc2d925a6af6b44
-
Filesize
650KB
MD51a8cf41b8b82284e6ba564d9b9ec58ed
SHA1680d4f766612030ce97f004790da4c9d0ddb6bbc
SHA256e92fa8f376ab8a3957807dae0e7b4a184941c16161ac28a6ffc7af930e697f5c
SHA512cbb71d6eaf1912edf4345d2edf0d33d178ef28b207ac1740a7e70f16532bbd632d7ba05d35fe9696ecb52b8026491d8eb3a65171f57c16d257c080ea6dc0ffb4
-
Filesize
30KB
MD57e09ae6b690b966c4427422ff299387f
SHA196b4436d4ac2b74d03da93c8b684a9c4dd31e255
SHA256529f46611ba2b67adfea65f7e85df65681e1078f6e04496ad1d0c3e30f4a2ed6
SHA512c306f1e07feeeb7b34e66f08d430be1ce650317879d6918778273ee6b3dcdd0c99ae281f0a54c36a5ac0f9d665453d13a2dc8aaa7cd8a502ae89127249626c25
-
Filesize
526KB
MD5ffc0b3984bcb3db689b7bb1e9a082951
SHA15f1d8155cf5326470f3d08b81bb6c7956c1051f2
SHA256aecb2f271987b4d55e4cbb36edf2eba0a0ec5eadeb5f887aa2175d65d0cd2db2
SHA512714fdec677169e72ff2624595e33c05f0cf7a4b6f3ea5aeb2cc5f2213256a52ad165c5379187dae6bad258a88b29ff8efdcdc706946ed69986603101981e4024
-
Filesize
886KB
MD52ebe781860fb4096e62e5d83a893ef6b
SHA1ea459577a9ca4de28643c0655d9b6b2797c39f3b
SHA256f1d071c5613bef43e1522f36bc2f07af3291a09ab3c5d074fc844843568beb0a
SHA512b18d5e864657386e13284821730032c6cd6ee0388b73502f5888cd3edc4b878b7a974830b05ff86afc9c68cd00f5901bf88979f5747c15568e6cbcbf2d12b0da
-
Filesize
1.1MB
MD5b218af319f7046337bb5a2f97c6f0d4f
SHA170dfeb3371f38f5889249c5f082428eb9a10d5c4
SHA256787223af9654def808379b6a38ffb7524abf6f13d9e653b468d383874da9ae91
SHA51226c88cd23128d35cc4fb86285231a0f336609ea8cd8fbc3360e96738c7991000b3d76bc3ac826fc9c64fa23bb8d698a4744ffc788eb145852f48ec972260a253
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
1.0MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
240KB