Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 10:08
General
-
Target
0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02.exe
-
Size
1.5MB
-
MD5
e806bdf2cc867c5a39f1cbffe65e695e
-
SHA1
74dfb1fd9d2b1bcea8948325ca3012e25266b93b
-
SHA256
0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02
-
SHA512
b055a049fcd474d22aff8f9dc90b4cdeb8ea011eb74b11ccce293f9f5f6e04195125e627908e0692c408ef2ceadd71774fc0404cb97a8b96490326fcd729c62d
-
SSDEEP
49152:kKQ91oNjukCsG9s0+AHTLsI3H9nLp/xKAVe:U91oNjuk8sAH3JBz
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
grome
C2
77.91.124.86:19084
Extracted
Family
amadey
Version
3.89
Botnet
04d170
C2
http://77.91.124.1
Attributes
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02.exe"C:\Users\Admin\AppData\Local\Temp\0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR7Up73.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR7Up73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PJ3Ca18.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PJ3Ca18.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT9nP77.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT9nP77.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\md0wF65.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\md0wF65.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ub8em84.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ub8em84.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fx23bh3.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fx23bh3.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YE9175.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YE9175.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3wD95dh.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3wD95dh.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4kV580aF.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4kV580aF.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mk8jo6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mk8jo6.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cW8ME8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cW8ME8.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7kQ4tl81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7kQ4tl81.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FB77.tmp\FB78.tmp\FB79.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7kQ4tl81.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3764,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3888,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4784,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5404,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5428,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=3848,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5620,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6324,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6500,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6660,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6552,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6980,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6972,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7000 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7276,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7540,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7536 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=7756,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7800 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7804,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7832 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7772,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=8024 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5444,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=8212 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8384,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=8396 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8532,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8780,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=8800 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8920,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=8968 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=9172,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=7600 /prefetch:11⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6016,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5496,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df17aff26f059073bed6a5f8824e5c39
SHA1f880f5cbe705ed78afe9cb3a7667b50dbc08443f
SHA256079ad17541306c21039854f1c9a28a9e1b0f131a2fd509f2a6bb1852875a3ea0
SHA5122c9cdd6846b45cbbfcfbe7dbfdaecd32a602c1feb3af1c0a1e894b1e55af5e1e8f095eb60c42bc6efafc37f3c26bc9e45259afbcde9e67bb75c93fb418a1af79
-
Filesize
91KB
MD5f4e2342a64da3e0075f4d715b3b2b439
SHA1be7af5bad4487c74478258271c66c0faa8ae52f9
SHA2567695831691cbc7cc54671b984489ae7b4a11b91c850c68aa5783d18cf1c13710
SHA512eab31097a5c160d585d1a2e0b54db94ff183c8f541bd8277ae5751e8635f255ed2429151a54033c6111f8b88c530a60087e2f340fb166ae2a67d8d4f5f71469e
-
Filesize
1.4MB
MD584d9c69ecbf66f5954e64a51ad1529cd
SHA166f81004eb3f2821addfee8492d6b3f3f72c738e
SHA25607a005b447c5de5e788f2c38e944cc4f551b097a10ba2c81558364777a20574d
SHA5120a8bd489899f131021afb6755bbcb5e27ef2bbe82625e9d7caf74785589b622d7a825af9450006bbd0e4066ddd3c36e6c6b3c8ab6813bf54b01e06ad42cedd5a
-
Filesize
183KB
MD5266a83324e863d27f3dfc734fcb97675
SHA11c86208ae67b855c90d7f7b6fc99e3b3bfd8b7b1
SHA256c6b2f33b6aa7d0efb4e1e5f549ac425b9bf0667ea111cb31699a78898e96bb2b
SHA5121adaaa0898ea948edbe0c66cf47a71f2d6e79e0d05b8c83cb14ba22237a04662f369b75e5a50042807f7c9f701ec80d7fa7f48dbb08130ffe88d00ef8d06ba47
-
Filesize
1.2MB
MD51d7a1ab245a631e5287b12f9afac64f8
SHA11bb77e3e32799e0bf59d501360031310f0d59d96
SHA2563ab1a2b780c41bb48b2f670ab4a3020518486526c5dfe1d0f6306883e13527bc
SHA512020d992ccba501a20d5e912f882a666e475532ca417038c71b2365c90330d72058b608e0fe925523d06818be33f6c1dddac7950f78e3a5bcc48e77205672ee34
-
Filesize
220KB
MD5318bfaab26eb7e207fac46ea1f495655
SHA16e0e9a7fd2312f848bcb18fd19f2730be7ada43c
SHA256a7e8786ad681ce60472560a7a522e9bc927f26c3c35c7088c2645d265981720e
SHA512c5d3e95e6bd7868dabbb30011665d44bcc534c744b51f8872b19f5b1139817ff4e2e5f87d105031b3177f42612870681c44fd62053c8386475b973f1df8c5884
-
Filesize
1.0MB
MD5b39e649ef5c3a8e2a1421c0fa06d7128
SHA185c9ef67a1badc3dd29883133c056d1433470f3f
SHA256c56f12c531a7c4d4abcf37a43aa478a45aac42fde68dd9ec065243c8f2f5b3b9
SHA5123443357f101d617856f4196baa9e40592ccced49b439b805ed15d021185bbd448044c6fbd50db507942d952a1d3a81554da759b2fc19e1b3c638330b270f8aa1
-
Filesize
1.1MB
MD5028c6c3958880b3149e622c6b3a627eb
SHA14014b03868dcc5db3a6a89e9e03147f13b01ce8b
SHA2566b62848d22a45b893c18a0e4d0b8cbf4190dc3bb1ce3252d1655b8fbe281c964
SHA5121d9e8f950bfccab4d6b9104cd021fca1a7bac3e4b6d5006d8411d7d71c100b466c869734f48d03b17388739d8045b0e4732e2ecd142c741f71fd9130a78f749b
-
Filesize
646KB
MD591c39b66c3f6b5b1a8a342659b702b56
SHA126252f3da191e5a54117f37598fefddf9ca0c87a
SHA2562285422076e1af0c0843179902afadd80bc6a26cdaea478d8f26f2c7cb1cff85
SHA51233605f3639ecb8ead73e4caf8c32786b5c0f73710cb784790589eff7af3da5df8ae61ce9d08bb5175d88ccdd93a4610e75f209aab3d1d37e7b8dd9d94075cad9
-
Filesize
30KB
MD55a011cf936b7076f405d8f538d99b5ce
SHA1b27b524e4b0196a488ce2989342c5d1a787d0b41
SHA256e2994359a2832004801711039ae03edc3b4433f906e6664fa73f13ca33b95a78
SHA5128076451e1d8be6efba8def0f5729bcdd355e965f4aec02f947b57764f7a118b4ffc7673713229bea5fa4748b1b632a6e75e365e01c1e7ea97e02772a52448251
-
Filesize
521KB
MD5aa9c26b2ae27353e53a57c580e650f47
SHA1edd6b6cf16b638d6368a7035c2206d172277c13f
SHA2561c0f53ee8f2e775a826012164380286a859c507141ad9515030910f52fe76b13
SHA512994d72fca6ac07b9646a875b1188e7308fcb2f19cd25d1b121d8fff0af468344b845ebcc549a847c9fb5067b791232d2a64cfd0162f20ed29be295204545b707
-
Filesize
878KB
MD56bb8505738ad4613beb215956f4962f0
SHA1ef4fa24af79366b1128e5a20accebbb58006d80b
SHA256b18f4c84782051a6b99178dfb071bd53ea6e6bf58daae01cfcaaeb71bf0e6fee
SHA5127baaa854ea423c60a581de8773d6ae72395541e5853c0301e41b6b38f77c8e5976357a549cfb1121e3bb89a3978cc504917ae17bcbd63247ac200ea8dafc92b9
-
Filesize
1.1MB
MD54dec12fe22b5350777718f0a3f0ba418
SHA1373a135c102d906b936777a3daae52db4b34f29d
SHA2561f7fde5f102f74aa59908e13614b3a564b472ea30ca1d62bdf2349bfea0cdaa8
SHA512d05ab1b125582a731675362bd168105682bd64f76eb4f817291ed98fbf9d870f9290b1cc2d05850b69c523f70655497dd30f87d4fd4859be9f96d2af4ef83f91
-
Filesize
1.0MB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
36KB
-
Filesize
36KB