Detonator - Submission Details

Submission Details - #9

Submission ID:	9	File ID:	30	Created:	2026-01-08 16:54:04
Submission Comment:		File Comment:		Updated:	2026-01-08 16:56:39
Submission Status:	finished	User:	guest	Completed:	2026-01-08 16:54:43
EDR Verdict:	detected	Project:		Profile:	mde
Execution Mode:	autoit for 12 seconds	Drop Path:		Profile Connector:	Proxmox
Agent Phase:	finished	Absorber Status:	running	Profile Comment:	Defender for Endpoint Win11

Source	Threat	Severity	Category	Detection Source	Detected At	Raw
Defender Local	Behavior:Win32/Meterpreter.A!sms (DefenderDB)	Severe	Suspicious Behavior	Unknown	2026-01-08 17:54:25	Raw Alert Data { "Product Name": "Microsoft Defender Antivirus", "Product Version": "4.18.25110.6", "Detection ID": "{14564217-0332-4D4B-BF15-D78FBBF3B52F}", "Detection Time": "2026-01-08T16:54:25.541Z", "Unused": "", "Unused2": "", "Threat ID": "2147729713", "Threat Name": "Behavior:Win32/Meterpreter.A!sms", "Severity ID": "5", "Severity Name": "Severe", "Category ID": "46", "Category Name": "Suspicious Behavior", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Meterpreter.A!sms&threatid=2147729713&enterprise=0", "Status Code": "1", "Status Description": "", "State": "1", "Source ID": "0", "Source Name": "Unknown", "Process Name": "Unknown", "Detection User": "", "Unused3": "", "Path": "behavior:_process: C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe, pid:4888:23860392771190; process:_pid:4888,ProcessStart:134123648595206305", "Origin ID": "0", "Origin Name": "Unknown", "Execution ID": "3", "Execution Name": "Executing", "Type ID": "0", "Type Name": "Concrete", "Pre Execution Status": "0", "Action ID": "9", "Action Name": "Not Applicable", "Unused4": "", "Error Code": "0x00000000", "Error Description": "The operation completed successfully. ", "Unused5": "", "Post Clean Status": "0", "Additional Actions ID": "0", "Additional Actions String": "No additional actions required", "Remediation User": "", "Unused6": "", "Security intelligence Version": "AV: 1.443.557.0, AS: 1.443.557.0, NIS: 1.443.557.0", "Engine Version": "AM: 1.1.25110.1, NIS: 1.1.25110.1" }
Defender Local	Behavior:Win32/Meterpreter.A!sms (DefenderDB)	Severe	Suspicious Behavior	System	2026-01-08 17:54:25	Raw Alert Data { "Product Name": "Microsoft Defender Antivirus", "Product Version": "4.18.25110.6", "Detection ID": "{FFB53B0D-A520-4197-BC9D-6004869A28E1}", "Detection Time": "2026-01-08T16:54:25.888Z", "Unused": "", "Unused2": "", "Threat ID": "2147729713", "Threat Name": "Behavior:Win32/Meterpreter.A!sms", "Severity ID": "5", "Severity Name": "Severe", "Category ID": "46", "Category Name": "Suspicious Behavior", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Meterpreter.A!sms&threatid=2147729713&enterprise=0", "Status Code": "1", "Status Description": "", "State": "1", "Source ID": "2", "Source Name": "System", "Process Name": "Unknown", "Detection User": "NT AUTHORITY\\SYSTEM", "Unused3": "", "Path": "behavior:_process: C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe, pid:4888:23860392771190; file:_C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe", "Origin ID": "1", "Origin Name": "Local machine", "Execution ID": "0", "Execution Name": "Unknown", "Type ID": "0", "Type Name": "Concrete", "Pre Execution Status": "0", "Action ID": "9", "Action Name": "Not Applicable", "Unused4": "", "Error Code": "0x00000000", "Error Description": "The operation completed successfully. ", "Unused5": "", "Post Clean Status": "0", "Additional Actions ID": "0", "Additional Actions String": "No additional actions required", "Remediation User": "", "Unused6": "", "Security intelligence Version": "AV: 1.443.557.0, AS: 1.443.557.0, NIS: 1.443.557.0", "Engine Version": "AM: 1.1.25110.1, NIS: 1.1.25110.1" }
Defender Local	Trojan:Win32/Bearfoos.B!ml (DefenderDB)	Severe	Trojan	System	2026-01-08 17:54:27	Raw Alert Data { "Product Name": "Microsoft Defender Antivirus", "Product Version": "4.18.25110.6", "Detection ID": "{94E69B12-7E69-4411-A30E-AE37AEC9DF0E}", "Detection Time": "2026-01-08T16:54:27.261Z", "Unused": "", "Unused2": "", "Threat ID": "2147731849", "Threat Name": "Trojan:Win32/Bearfoos.B!ml", "Severity ID": "5", "Severity Name": "Severe", "Category ID": "8", "Category Name": "Trojan", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bearfoos.B!ml&threatid=2147731849&enterprise=0", "Status Code": "1", "Status Description": "", "State": "1", "Source ID": "2", "Source Name": "System", "Process Name": "Unknown", "Detection User": "NT AUTHORITY\\SYSTEM", "Unused3": "", "Path": "file:_C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe", "Origin ID": "1", "Origin Name": "Local machine", "Execution ID": "0", "Execution Name": "Unknown", "Type ID": "8", "Type Name": "FastPath", "Pre Execution Status": "0", "Action ID": "9", "Action Name": "Not Applicable", "Unused4": "", "Error Code": "0x00000000", "Error Description": "The operation completed successfully. ", "Unused5": "", "Post Clean Status": "0", "Additional Actions ID": "0", "Additional Actions String": "No additional actions required", "Remediation User": "", "Unused6": "", "Security intelligence Version": "AV: 1.443.557.0, AS: 1.443.557.0, NIS: 1.443.557.0", "Engine Version": "AM: 1.1.25110.1, NIS: 1.1.25110.1" }
MDE Cloud Plugin	An active 'Bearfoos' malware was blocked	Low	[,",M,a,l,w,a,r,e,",]	Antivirus	2026-01-08 16:54:40	Raw Alert Data { "Timestamp": "2026-01-08T16:54:40.0850487Z", "AlertId": "da9588f039-05a2-4071-be14-656b99d2c0ea_1", "Title": "An active 'Bearfoos' malware was blocked", "Categories": "[\"Malware\"]", "AttackTechniques": "", "ServiceSource": "Microsoft Defender for Endpoint", "DetectionSource": "Antivirus", "EntityType": "Machine", "EvidenceRole": "Impacted", "EvidenceDirection": "", "FileName": "", "FolderPath": "", "SHA1": "", "SHA256": "", "ThreatFamily": "", "RemoteIP": "", "RemoteUrl": "", "AccountName": "", "AccountDomain": "", "AccountSid": "", "AccountObjectId": "", "AccountUpn": "", "DeviceId": "26e94d7d31835ae93feefa077b51255ddc1ec98f", "DeviceName": "DESKTOP-8V3JHHQ", "LocalIP": "", "NetworkMessageId": "", "EmailSubject": "", "Application": "", "OAuthApplicationId": "", "ProcessCommandLine": "", "RegistryKey": "", "RegistryValueName": "", "RegistryValueData": "", "AdditionalFields": "{\"HostName\":\"DESKTOP-8V3JHHQ\",\"NetBiosName\":\"DESKTOP-8V3JHHQ\",\"OSFamily\":\"Windows\",\"OSVersion\":\"10.0\",\"IsDomainJoined\":false,\"RemediationProviders\":[{\"RemediationState\":\"Active\",\"RemediationDate\":\"2026-01-08T16:55:33.6343658Z\",\"Type\":\"remediation-provider\"}],\"LastRemediationState\":\"Active\",\"ThreatAnalysisSummary\":[{\"AnalyzersResult\":[],\"Verdict\":\"Suspicious\",\"AnalysisDate\":\"2026-01-08T16:55:33.6343658Z\"}],\"LastVerdict\":\"Suspicious\",\"Asset\":true,\"DetailedRoles\":[\"PrimaryDevice\"],\"RbacScopes\":{\"ScopesPerType\":{\"MachineGroupIds\":{\"Mode\":\"Any\",\"Scopes\":[\"230559\"]},\"Workloads\":{\"Mode\":\"All\",\"Scopes\":[\"Mdatp\"]}}},\"Type\":\"host\",\"LeadingHost\":true,\"Role\":0,\"MachineId\":\"26e94d7d31835ae93feefa077b51255ddc1ec98f\",\"MachineIdType\":3,\"HostMachineId\":null,\"DetectionStatus\":\"Detected\",\"SuspicionLevel\":\"Suspicious\",\"IsIoc\":false,\"MergeByKey\":\"uWzq2U4AULCY75vwWysN8+QpS9U=\",\"MergeByKeyHex\":\"B96CEAD94E0050B098EF9BF05B2B0DF3E4294BD5\"}", "Severity": "Low", "CloudResource": "", "CloudPlatform": "", "ResourceType": "", "ResourceID": "", "SubscriptionId": "", "SentinelWorkspaceIds": "", "FileSize": {}, "ApplicationId": {} }
MDE Cloud Plugin	Meterpreter post-exploitation tool	Medium	[,",S,u,s,p,i,c,i,o,u,s,A,c,t,i,v,i,t,y,",]	Antivirus	2026-01-08 16:54:25	Raw Alert Data { "Timestamp": "2026-01-08T16:54:25.8759807Z", "AlertId": "dae3b06554-21ad-4803-94c6-063cdd4e426b_1", "Title": "Meterpreter post-exploitation tool", "Categories": "[\"SuspiciousActivity\"]", "AttackTechniques": "[\"Dynamic-link Library Injection (T1055.001)\"]", "ServiceSource": "Microsoft Defender for Endpoint", "DetectionSource": "Antivirus", "EntityType": "Machine", "EvidenceRole": "Impacted", "EvidenceDirection": "", "FileName": "", "FolderPath": "", "SHA1": "", "SHA256": "", "ThreatFamily": "", "RemoteIP": "", "RemoteUrl": "", "AccountName": "", "AccountDomain": "", "AccountSid": "", "AccountObjectId": "", "AccountUpn": "", "DeviceId": "26e94d7d31835ae93feefa077b51255ddc1ec98f", "DeviceName": "DESKTOP-8V3JHHQ", "LocalIP": "10.10.20.100", "NetworkMessageId": "", "EmailSubject": "", "Application": "", "OAuthApplicationId": "", "ProcessCommandLine": "", "RegistryKey": "", "RegistryValueName": "", "RegistryValueData": "", "AdditionalFields": "{\"HostName\":\"DESKTOP-8V3JHHQ\",\"NetBiosName\":\"DESKTOP-8V3JHHQ\",\"OSFamily\":\"Windows\",\"OSVersion\":\"10.0\",\"IsDomainJoined\":false,\"IpInterfaces\":[{\"$id\":\"2\",\"Address\":\"10.10.20.100\",\"Type\":\"ip\"},{\"$id\":\"3\",\"Address\":\"fe80::2d45:c001:9803:438e\",\"Type\":\"ip\"},{\"$id\":\"4\",\"Address\":\"127.0.0.1\",\"Type\":\"ip\"},{\"$id\":\"5\",\"Address\":\"::1\",\"Type\":\"ip\"}],\"RemediationProviders\":[{\"RemediationState\":\"Active\",\"RemediationDate\":\"2026-01-08T16:55:31.5620124Z\",\"Type\":\"remediation-provider\"}],\"LastRemediationState\":\"Active\",\"ThreatAnalysisSummary\":[{\"AnalyzersResult\":[],\"Verdict\":\"Suspicious\",\"AnalysisDate\":\"2026-01-08T16:55:31.5620124Z\"}],\"LastVerdict\":\"Suspicious\",\"Asset\":true,\"DetailedRoles\":[\"PrimaryDevice\"],\"RbacScopes\":{\"ScopesPerType\":{\"MachineGroupIds\":{\"Mode\":\"Any\",\"Scopes\":[\"230559\"]},\"Workloads\":{\"Mode\":\"All\",\"Scopes\":[\"Mdatp\"]}}},\"Type\":\"host\",\"LeadingHost\":true,\"Role\":0,\"MachineId\":\"26e94d7d31835ae93feefa077b51255ddc1ec98f\",\"MachineIdType\":3,\"HostMachineId\":null,\"DetectionStatus\":\"Detected\",\"SuspicionLevel\":\"Suspicious\",\"EnrichmentType\":\"MachineIpInterfacesEnrichment\",\"IsIoc\":false,\"MergeByKey\":\"uWzq2U4AULCY75vwWysN8+QpS9U=\",\"MergeByKeyHex\":\"B96CEAD94E0050B098EF9BF05B2B0DF3E4294BD5\"}", "Severity": "Medium", "CloudResource": "", "CloudPlatform": "", "ResourceType": "", "ResourceID": "", "SubscriptionId": "", "SentinelWorkspaceIds": "", "FileSize": {}, "ApplicationId": {} }

[2026-01-08T16:54:04.661084] DB: Submission created
[2026-01-08T16:54:08.357119] Connected to agent at http://10.10.20.100:8080 on attempt 1
[2026-01-08T16:54:10.367877] Successfully acquired lock on attempt 1
[2026-01-08T16:54:10.400538] RedEdr: Start trace for process: hnOp_loader_6_shellcode_1
[2026-01-08T16:54:13.405143] Executing file hnOp_loader_6_shellcode_1.exe on DetonatorAgent at 10.10.20.100
[2026-01-08T16:54:13.406625] Executing with for 12s and path C:\Users\Public\Downloads\
[2026-01-08T16:54:20.865044] Success executing file hnOp_loader_6_shellcode_1.exe
[2026-01-08T16:54:20.866313] Waiting, runtime of 12 seconds...
[2026-01-08T16:54:20.867688] Starting local EDR data gatherer
[2026-01-08T16:54:20.869986] Starting EDR Cloud plugin: CloudMdePlugin
[2026-01-08T16:54:32.875665] Runtime completed
[2026-01-08T16:54:43.443651] Process successfully killed
[2026-01-08T16:54:43.451857] Successfully released lock
[2026-01-08T16:54:43.453027] All information gathered from Agents, processing logs...
[2026-01-08T16:56:14.154304] VM successfully reverted
[2026-01-08T16:56:17.238220] VM successfully started

[2026-01-08 16:54:12.997 UTC] information: Exec: Execute request received for file: hnOp_loader_6_shellcode_1.exe
[2026-01-08 16:54:12.997 UTC] information: Exec: Using execution type: autoit
[2026-01-08 16:54:13.002 UTC] information: Defender Plugin: Started Windows Defender EDR log collection at 2026-01-08T16:54:13.002
[2026-01-08 16:54:13.002 UTC] information: Exec: Writing file: C:\Users\Public\Downloads\hnOp_loader_6_shellcode_1.exe
[2026-01-08 16:54:13.002 UTC] information: Writing malware to: C:\Users\Public\Downloads\hnOp_loader_6_shellcode_1.exe, xorkey: 221
[2026-01-08 16:54:13.019 UTC] information: Successfully wrote malware to: C:\Users\Public\Downloads\hnOp_loader_6_shellcode_1.exe
[2026-01-08 16:54:13.026 UTC] information: Executing malware using AutoIt Explorer: C:\Users\Public\Downloads\hnOp_loader_6_shellcode_1.exe with args: 
[2026-01-08 16:54:13.028 UTC] information: Opening explorer.exe to execute file: C:\Users\Public\Downloads\hnOp_loader_6_shellcode_1.exe
[2026-01-08 16:54:13.040 UTC] information: Explorer opened with PID: 5748
[2026-01-08 16:54:19.322 UTC] information: Stored Explorer window title for cleanup: Downloads (from path: C:\Users\Public\Downloads)
[2026-01-08 16:54:19.322 UTC] information: Sending Enter key to open file: hnOp_loader_6_shellcode_1.exe
[2026-01-08 16:54:20.354 UTC] information: Found started process hnOp_loader_6_shellcode_1 with PID: 4888
[2026-01-08 16:54:20.354 UTC] information: Process started successfully using AutoIt Explorer with PID: 4888
[2026-01-08 16:54:20.409 UTC] information: Exec: Malware executed successfully with PID: 4888
[2026-01-08 16:54:20.420 UTC] information: Process 4888 completed (AutoIt Explorer)
[2026-01-08 16:54:20.479 UTC] information: Defender Plugin: Querying Windows Defender events from 2026-01-08T16:54:13.000000000Z to 2026-01-08T16:54:20.479879000Z
[2026-01-08 16:54:20.556 UTC] information: Defender Plugin: Retrieved 0 Windows Defender events
[2026-01-08 16:54:20.644 UTC] information: Defender Plugin: Successfully parsed 0 alerts
[2026-01-08 16:54:30.652 UTC] information: Defender Plugin: Querying Windows Defender events from 2026-01-08T16:54:13.000000000Z to 2026-01-08T16:54:30.652494000Z
[2026-01-08 16:54:30.698 UTC] information: Defender Plugin: Retrieved 7 Windows Defender events
[2026-01-08 16:54:30.708 UTC] information: Defender Plugin: Successfully parsed 6 alerts
[2026-01-08 16:54:40.718 UTC] information: Defender Plugin: Querying Windows Defender events from 2026-01-08T16:54:13.000000000Z to 2026-01-08T16:54:40.718479000Z
[2026-01-08 16:54:40.763 UTC] information: Defender Plugin: Retrieved 9 Windows Defender events
[2026-01-08 16:54:40.764 UTC] information: Defender Plugin: Successfully parsed 8 alerts
[2026-01-08 16:54:42.473 UTC] information: Exec: Kill request received
[2026-01-08 16:54:42.473 UTC] information: Defender Plugin: Stopping Windows Defender EDR log collection at 2026-01-08T16:54:42.473
[2026-01-08 16:54:42.475 UTC] information: Attempting to kill process with PID using AutoIt: 4888
[2026-01-08 16:54:42.477 UTC] information: Successfully killed process with PID using AutoIt: 4888
[2026-01-08 16:54:42.997 UTC] information: Attempting to close Explorer window with title: Downloads
[2026-01-08 16:54:42.997 UTC] information: Explorer window with title 'Downloads' not found - may have already been closed
[2026-01-08 16:54:43.002 UTC] information: LogsController: Retrieving agent logs

stdout:


stderr:

[
    "2026-01-08 17:46:33.359 - RedEdr 0.5.5",
    "2026-01-08 17:46:33.360 - Config: tracing malware",
    "2026-01-08 17:46:33.361 - Permissions: Enabled PRIVILEGED & DEBUG",
    "2026-01-08 17:46:33.361 - Manager: Starting all subsystems...",
    "2026-01-08 17:46:35.936 - ETW: Microsoft-Windows-Kernel-Process (1, 2, 3, 4, 5, 6, 11)",
    "2026-01-08 17:46:36.670 - ETW: Microsoft-Windows-Kernel-Audit-API-Calls (3, 4, 5, 6)",
    "2026-01-08 17:46:37.153 - ETW: Microsoft-Windows-Kernel-File (10, 30)",
    "2026-01-08 17:46:37.610 - ETW: Microsoft-Windows-Kernel-Network (12, 15, 28, 31, 42, 43, 58, 59)",
    "2026-01-08 17:46:37.610 - ETW: All providers configured, ready to start collecting",
    "2026-01-08 17:46:37.610 - !ETW: Started Thread (handle 00000000000001FC)",
    "2026-01-08 17:46:37.611 - Manager: Populating process cache with all running processes",
    "2026-01-08 17:46:37.611 - ProcessResolver: Starting to populate cache with all running processes",
    "2026-01-08 17:46:37.630 - ProcessResolver: Successfully populated cache with 120 processes",
    "2026-01-08 17:46:37.630 - ProcessResolver: Total cached processes: 120",
    "2026-01-08 17:46:37.630 - ProcessResolver: Started cleanup thread with 30 minute interval",
    "2026-01-08 17:46:37.630 - Manager: All subsystems started",
    "2026-01-08 17:46:37.631 - !EventProcessor: Started Thread (handle 000000000000039C)",
    "2026-01-08 17:46:37.631 - !Web: Started Thread (handle 0000000000000388)",
    "2026-01-08 17:46:37.631 - Track Thread 0 (handle 0x00000000000001FC)",
    "2026-01-08 17:46:37.631 - WEB: Web Server listening on http://0.0.0.0:8081",
    "2026-01-08 17:46:37.631 - Track Thread 1 (handle 0x000000000000039C)",
    "2026-01-08 17:46:37.631 - Track Thread 2 (handle 0x0000000000000388)",
    "2026-01-08 17:46:37.632 - RedEdr: All started, waiting for 3 threads to exit",
    "2026-01-08 17:54:09.959 - Trace targets: 1 targets",
    "2026-01-08 17:54:09.959 -   - hnOp_loader_6_shellcode_1",
    "2026-01-08 17:54:09.959 - ProcessResolver: Re-evaluating all cached processes with current target names",
    "2026-01-08 17:54:13.113 - Process: observe pid 5748: explorer.exe /select,\"C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe\"",
    "2026-01-08 17:54:19.830 - Process: observe pid 4888: \"C:\\Users\\Public\\Downloads\\hnOp_loader_6_shellcode_1.exe\" "
]